Skip to content

Latest commit

 

History

History
57 lines (36 loc) · 1.49 KB

067.md

File metadata and controls

57 lines (36 loc) · 1.49 KB

Shaggy Clay Cobra

High

Incorrect price returned from BondOracleAdapter contract

Summary

The contract BondOracleAdapter returns the wrong price unit, which is not in term of Bond token decimals

Root Cause

The function BondOracleAdapter::latestRoundData() returns the price x96, not the price in term of Bond token decimals

  function latestRoundData()
    external
    view
    returns (uint80, int256, uint256, uint256, uint80){
    uint32[] memory secondsAgos = new uint32[](2);
    secondsAgos[0] = twapInterval; // from (before)
    secondsAgos[1] = 0; // to (now)

    (int56[] memory tickCumulatives, ) = ICLPool(dexPool).observe(secondsAgos);

    uint160 getSqrtTwapX96 = TickMath.getSqrtRatioAtTick(
      int24((tickCumulatives[1] - tickCumulatives[0]) / int56(uint56(twapInterval)))
    );

@>    return (uint80(0), int256(getPriceX96FromSqrtPriceX96(getSqrtTwapX96)), block.timestamp, block.timestamp, uint80(0));
  }

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

  1. Assume that the collateral level is currently above the threshold -> a Bond token is priced BOND_TARGET_PRICE = 100
  2. Market rate reported from Oracle is 95
  3. An user redeem BondETH with rate = 100, instead of 95

Impact

  • Wrong Bond token price will be used in the system

PoC

No response

Mitigation

No response