Brenzee - `StableOracleDAI` - ETH/DAI price is fetched instead of DAI/ETH

Question

Brenzee - `StableOracleDAI` - ETH/DAI price is fetched instead of DAI/ETH

sherlock-admin opened this issue a year ago · comments

sherlock-admin commented a year ago

Brenzee

medium

`StableOracleDAI` - ETH/DAI price is fetched instead of DAI/ETH

Summary

DAIEthOracle.quoteSpecificPoolsWithTimePeriod function is called in StableOracleDAI to get the DAI price in ETH, but the returned value is ETH price in DAI.

Vulnerability Detail

Inside StableOracleDAI.getPriceUSD DAIEthOracle.quoteSpecificPoolsWithTimePeriod function is called, which is meant to be called to get DAI price in ETH. (This is assumed because the calculation in return statement requires that the DAIWethPrice is DAI price in ETH)

        uint256 DAIWethPrice = DAIEthOracle.quoteSpecificPoolsWithTimePeriod(
            1000000000000000000, // 1 Eth
            0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2, // WETH (base token)
            0x6B175474E89094C44Da98b954EedeAC495271d0F, // DAI (quote token)
            pools, // DAI/WETH pool uni v3
            600 // period
        );

But this call actually returns ETH price in DAI, which is incorrect.
(1804836157165384490178 => 1804.83 USD at the time of making this report)

Impact

Since DAIEthOracle.quoteSpecificPoolsWithTimePeriod function returns ETH price in DAI, calculated price at the end is incorrect.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L36-L42

Tool used

Manual Review

Recommendation

Switch WETH address and DAI address in the quoteSpecificPoolsWithTimePeriod function.

        uint256 DAIWethPrice = DAIEthOracle.quoteSpecificPoolsWithTimePeriod(
            1000000000000000000, // 1 Eth
            0x6B175474E89094C44Da98b954EedeAC495271d0F, // DAI (quote token)
            0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2, // WETH (base token)
            pools, // DAI/WETH pool uni v3
            600 // period
        );

Duplicate of #102

T1MOH593 · Answer 1 · Sat Jun 24 2023 00:42:21 GMT+0800 (China Standard Time)

Escalate for 10 USDC

This is not a duplicate of #909.
It tells about using DAI/ETH instead of ETH/DAI on Chainlink. And #909 tells about completely different issue with oracles

sherlock-admin · Answer 2 · Sat Jun 24 2023 00:42:23 GMT+0800 (China Standard Time)

Escalate for 10 USDC

This is not a duplicate of #909.
It tells about using DAI/ETH instead of ETH/DAI on Chainlink. And #909 tells about completely different issue with oracles

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Hrishikesh Bhat · Answer 3 · Tue Jul 04 2023 11:29:29 GMT+0800 (China Standard Time)

Result:
High
Duplicate of #102

sherlock-admin · Answer 4 · Tue Jul 04 2023 11:29:33 GMT+0800 (China Standard Time)

Escalations have been resolved successfully!

Escalation status:

T1MOH593: accepted

Brenzee - `StableOracleDAI` - ETH/DAI price is fetched instead of DAI/ETH

StableOracleDAI - ETH/DAI price is fetched instead of DAI/ETH

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

`StableOracleDAI` - ETH/DAI price is fetched instead of DAI/ETH