Active Boosts

Boost _ Folks Finance 34169 - [Smart Contract - Low] Potential revert in PythNode library due to incorrect use of SafeCast toUint

Submitted on Tue Aug 06 2024 04:44:59 GMT-0400 (Atlantic Standard Time) by @nnez for Boost | Folks Finance

Report ID: #34169

Report type: Smart Contract

Report severity: Low

Target: https://testnet.snowtrace.io/address/0xA758c321DF6Cd949A8E074B22362a4366DB1b725

Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Description

In the PythNode library's process function, there's a potential issue with the price calculation logic when dealing with negative exponents from Pyth price feeds. The function attempts to convert a potentially negative int256 value to uint256 using the SafeCast.toUint256() method, which will always revert for negative inputs.

See: https://github.com/Folks-Finance/folks-finance-xchain-contracts/blob/main/contracts/oracle/nodes/PythNode.sol

uint256 price = factor > 0
    ? pythData.price.toUint256() * (10 ** factor.toUint256())
    : pythData.price.toUint256() / (10 ** factor.toUint256());

When factor is negative, the second branch is executed, attempting to convert factor to uint256. This conversion will invariably fail for negative values, causing the transaction to revert.

See: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/math/SafeCast.sol#L567-L579

Note: PythNode library is a part of NodeManager.sol (in-scope asset).

Impact

The impact of this issue is that it will cause a revert in the process function when dealing with price feeds that result in a negative factor.

Rationale for Severity

The severity of this issue is considered Low for the following reasons:

  1. This branch might be unreachable in the first place as it requires < -18 exponent return from a Pyth node, which is currently non-existent.

  2. The affected price feeds might not be integrated with the protocol.

Despite the two reasons mentioned, it's still a techically valid bug and should be fixed.

Proof of concept

Proof-of-Concept

Requirement

  • chisel 0.2.0 (3ae4f50 2024-07-07T00:21:48.451168337Z)

Steps

  1. Run git clone https://github.com/Folks-Finance/folks-finance-xchain-contracts.git

  2. Run cd folks-finance-xchain-contracts

  3. Run chisel inside the directory

  4. Run below code, line by line in the REPL

import "@openzeppelin/contracts/utils/math/SafeCast.sol";
using SafeCast for int256;
int256 factor = -1;
factor.toUint256();

  1. Observe that it reverts when trying to convert factor to uint256

PreviousBoost _ Folks Finance 34161 - [Smart Contract - Medium] Denial of Service via Front-Running in Loan Creation MechanismNextBoost _ Folks Finance 34174 - [Smart Contract - Low] Bug in liquidation logic leads to stealing funds from liquidatorsunprofitable liquidations

Last updated