0xDgiin - Decimals Not Handled Properly in DebitaV3Aggregator.sol causing innacuracy of prices.

[sherlock-admin2]

0xDgiin

Medium

Decimals Not Handled Properly in DebitaV3Aggregator.sol causing innacuracy of prices.

Summary

The DebitaV3Aggregator.sol contract, specifically within the matchOffersV3 function, does not properly adjust the prices fetched from the oracle contracts to account for the decimals of the price feeds. This oversight can lead to incorrect price calculations, resulting in potential financial discrepancies for users. The adjustment for decimals is neither handled in the Chainlink oracle contract (DebitaChainlink.sol) nor in the matchOffersV3 function, causing the contract to operate with inaccurate price data.

Root Cause

In the DebitaV3Aggregator.sol contract, the getPriceFrom function is used to fetch prices from oracle contracts:

function getPriceFrom(
    address _oracle,
    address _token
) internal view returns (uint) {
    require(oracleEnabled[_oracle], "Oracle not enabled");
    return IOracle(_oracle).getThePrice(_token);
}

This function calls the getThePrice method of the oracle contract (IOracle interface), which returns the price of the specified token.

In the matchOffersV3 function, these prices are used in various calculations to determine ratios, loan amounts, and collateral requirements. Here are some key excerpts:

// Get price of collateral using borrow order oracle
uint priceCollateral_BorrowOrder;

if (borrowInfo.oracle_Collateral != address(0)) {
    priceCollateral_BorrowOrder = getPriceFrom(
        borrowInfo.oracle_Collateral,
        borrowInfo.valuableAsset
    );
}

// ... Later in the code ...

uint pricePrinciple = getPriceFrom(
    borrowInfo.oracles_Principles[indexForPrinciple_BorrowOrder[i]],
    principles[i]
);

// Calculate the value per collateral unit
uint ValuePrincipleFullLTVPerCollateral = (priceCollateral_BorrowOrder *
        10 ** 8) / pricePrinciple;

// ... Further calculations ...

Calculating Lender's Ratios:

uint priceCollateral_LendOrder = getPriceFrom(
    lendInfo.oracle_Collaterals[collateralIndex],
    borrowInfo.valuableAsset
);
uint pricePrinciple = getPriceFrom(
    lendInfo.oracle_Principle,
    principles[principleIndex]
);

// Calculate full ratio per lending
uint fullRatioPerLending = (priceCollateral_LendOrder *
    10 ** 8) / pricePrinciple;

// ... Further calculations ...

The prices obtained from getPriceFrom are used directly in calculations without adjusting for the decimals of the price feeds. This can lead to incorrect ratios and valuations because:

Oracle Price Feeds Have Varying Decimals:

• Chainlink price feeds, for example, can have different numbers of decimals depending on the asset.
• Not adjusting for these decimals means that the raw price values may not be on the same scale, causing erroneous calculations.

The multiplication by 10 ** 8 in the code is intended to increase precision, but it does not compensate for varying decimals across different price feeds.
Without adjusting for the actual decimals of each price feed, the ratios derived from these prices will be incorrect.

The oracle contracts (DebitaChainlink.sol and DebitaPyth.sol) were previously identified as not adjusting the prices for decimals. In the DebitaChainlink.sol contract:

function getThePrice(address tokenAddress) public view returns (int) {
    // ... Existing code ...
    (, int price, , , ) = priceFeed.latestRoundData();

    // ... Existing validations ...
    return price;
}

The getThePrice function returns the raw price from latestRoundData() without adjusting for priceFeed.decimals().
This means the price returned may have a different scale than expected, leading to incorrect calculations in DebitaV3Aggregator.sol.

Impact

Innacuracy of price feeds.

Mitigation

Handle decilmals properly.