Skip to content

Latest commit

 

History

History
50 lines (28 loc) · 1.43 KB

115.md

File metadata and controls

50 lines (28 loc) · 1.43 KB

Fast Khaki Raccoon

Medium

symbol is not a part of the standart ERC20 methods and would simtimes revert

Summary

DIAOracleV2SinglePriceOracle::getPriceUSD18 would revert on some tokens like MKR which have name and symbol as bytes

Root Cause

DIAOracleV2SinglePriceOracle::getPriceUSD18 would revert on some tokens like MKR which has name and symbol set as bytes.

The problem here is the bellow code which assumes that standard ERC20 tokens will have name and symbol at all:

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/oracle/DIAOracleV2SinglePriceOracle.sol#L19

        string memory _symbol = IERC20Metadata(_quoteToken).symbol();

When we call the name and symbol of MKR we will get https://etherscan.io/token/0x9f8f72aa9304c8b593d555f12ef6589cc3a579a2#readContract 0x4d4b520000000000000000000000000000000000000000000000000000000000 as symbol 0x4d616b6572000000000000000000000000000000000000000000000000000000 as name

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

Contract will not work with some tokens.

Impact

DIAOracleV2SinglePriceOracle's getPriceUSD18 will not work with some tokens, like MKR. Meaning that getPrices will not work with such tokens (as it's uses getPriceUSD18 down the line ).

PoC

No response

Mitigation

Make sure you add the .symbol or .name in a try/catch