Skip to content

Latest commit

 

History

History
46 lines (28 loc) · 1.59 KB

033.md

File metadata and controls

46 lines (28 loc) · 1.59 KB

saidam017

high

StableOracleDAI and StableOracleWBGL use wrong static uniswapv3 oracle address

Summary

StableOracleDAI and StableOracleWBGL use static uniswapv3 price oracle to calculate the USD price, but use incorrect address when define the static uniswapv3 oracle instance.

Vulnerability Detail

StableOracleDAI and StableOracleWBGL defined the staticOracleUniV3 inside StableOracleWBGL and DAIEthOracle inside StableOracleDAI with incorrect address.

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L27-L29

        DAIEthOracle = IStaticOracle(
            0x982152A6C7f732Ec7C9EA998dDD9Ebde00Dfa16e // this is address of wbgl/weth uni v3 pool, not price oracle
        );

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBGL.sol#L18-L20

        staticOracleUniV3 = IStaticOracle(
            0x982152A6C7f732Ec7C9EA998dDD9Ebde00Dfa16e // this is address of wbgl/weth uni v3 pool, not price oracle
        );

Impact

the StableOracleDAI and StableOracleWBGL's getPriceUSD() will not work properly.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBGL.sol#L18-L20 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L27-L29

Tool used

Manual Review

Recommendation

Provide the correct address for staticOracleUniV3 inside StableOracleWBGL and DAIEthOracle inside StableOracleDAI.