TradingLibrary.verifyPrice: Negative prices not correctly handled #297
Comments
code423n4
added
2 (Med Risk)
|
Agree with finding, but not convinced by severity, what are the odds of a negative CL feed? Has this ever happened? |
|
Have asked some info to CL and believe this finding will be downgraded to R at most (not even Low) A CL feed ultimately has min and max boundaries, and Price Feeds will have positive min / max values Negative prices seem to be supported for Commodities Future if you were wondering |
|
Price feed can't be negative. Even if we assumed it can be, code will revert. |
|
TriHaz marked the issue as sponsor disputed |
c4-sponsor
added
the
sponsor disputed
|
Downgrading to R as I would recommend a check before casting, however no clear risk was shown R |
c4-judge
added
QA (Quality Assurance)
|
Duplicate of #334 |
|
Note that a cast to uint256 will not revert on a negative number, you'll get the twos complement of the value |
|
Remove Dup of 334 label and mark as unsatisfactory as requested by @GalloDaSballo |
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/utils/TradingLibrary.sol#L113-L115
Vulnerability details
Impact
Referring to the docs, Chainlink oracles are returning the price as an int256, which means that the answer can be a negative price.
https://docs.chain.link/data-feeds/price-feeds/api-reference
Later, this price is casted as an uint256, which overflows when price < 0.
Let's say _chainlinkFeed.latestAnswer() = -1. Then, price will be equal to type(uint256).max (i.e., a huge number) and this wrong price will be used by the system, leading to system stuck.
Proof of Concept
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/utils/TradingLibrary.sol#L113-L115
Tools Used
None
Recommended Mitigation Steps
Check that the latest answer is > 0 before casting
The text was updated successfully, but these errors were encountered: