Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Concrete>Discussion>The ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimals
GeneralOverview
Findings
High (2)
Medium (6)
Low (8)
Informational (9)
DiscussionThe ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimalsUnused _decimals variable in strategiesTest suite
DesignComponent: ControllerComponent: ConcreteMultiStrategyVaultComponent: WithdrawalComponent: Strategies
Audit ResultsAssessment Results

The ConcreteOracle.getAssetPrice should ensure the returned price uses eight decimals

The getAssetPrice function has three main execution paths for returning a price:

  1. Primary oracle path. It queries the price from the source oracle and normalizes it to eight decimals.

    return _normalizePrice(source, uint256(price));

  2. Base currency path. If the requested asset is the BASE_CURRENCY, the function returns the BASE_CURRENCY_UNIT constant directly.

    // Assumes BASE_CURRENCY_UNIT is already 10**8 if (asset == BASE_CURRENCY) { return BASE_CURRENCY_UNIT; }

  3. Fallback oracle path. If the primary source is missing, the price is stale, or the sequencer is offline, the function returns the price from the fallback oracle.

    return _getAssetPriceFromFallbackOracle(asset);

The primary path normalizes the price to ensure it uses eight decimals:

function _normalizePrice(AggregatorV3Interface source, uint256 _price) internal view returns (uint256) {
    uint256 decimals = source.decimals();
    if (decimals == 8) {
        return _price;
    } else if (decimals > 8) {
        return _price / (10 ** (decimals - 8));
    } else {
        return _price * (10 ** (8 - decimals));
    }
}

However, the other two paths do not guarantee that the returned price uses eight decimals. It is recommended to ensure that prices from these paths also use eight decimals.

Zellic © 2025Back to top ↑