Bahurum - `price` is DAI/ETH instead of ETH/DAI in `StableOracleDAI.getPriceUSD()`
sherlock-admin opened this issue · comments
Bahurum
high
price is DAI/ETH instead of ETH/DAI in StableOracleDAI.getPriceUSD()
Summary
In StableOracleDAI, price is supposed to be the price of ETH in DAI, but is the price of DAI in ETH instead.
Vulnerability Detail
StableOracleDAI.getPriceUSD() takes the average of the UniV3 WETH-DAI TWAP price and the DAI/ETH Chainlink oracle price.
DAIWethPrice is the amount of DAI corresponding to 1 ETH, while price is the amount of ETH in 1 DAI. The average in:
return
(wethPriceUSD * 1e18) /
((DAIWethPrice + uint256(price) * 1e10) / 2);is incorrect as price is much smaller than it should be.
When an user calls USSD.mintForToken() using DAI, he will obtain an incorrect amount of USSD.
Impact
DAI price used is incorrect, causing amounts minted with DAI to be incorrect.
Code Snippet
Tool used
Manual Review
Recommendation
Compute the ETH/DAI price from the DAI/ETH chainlink feed.
...
(, int256 price, , , ) = priceFeedDAIETH.latestRoundData();
+ price = 1e36 / uint256(price)
...Duplicate of #102
Escalate for 10 USDC
This is not a duplicate of #909.
It tells about using DAI/ETH instead of ETH/DAI on Chainlink. And #909 tells about completely different issue with oracles
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Result:
High
Duplicate of #102