Omniscia Rari Capital Audit
ChainlinkPriceOracle Manual Review Findings
ChainlinkPriceOracle Manual Review Findings
CPO-01M: Incorrect Correlation
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | ChainlinkPriceOracle.sol:L72-L74 |
Description:
The price feeds utilized for the renBTC, WBTC and sBTC incorrectly assume that they are in a 1-to-1 synchronization between them as well as the underlying token (BTC) they are meant to represent.
Recommendation:
We advise that the price feeds used for these tokens are re-evaluated as they can cause arbitration opportunities to arise in case the oracle overvalues them as they usually lag behind BTC's actual price.
Alleviation:
The Rari team has stated that they intend to replace the direct BTC feed for the wrapper tokens with actual price feeds representing a more accurate value as better feeds become available.
CPO-02M: Incorrect Price Offset
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations | Medium | ChainlinkPriceOracle.sol:L184 |
Description:
The price evaluation of a token's USD price with regards to ETH's USD price appears to multiply the former by 1e18 to achieve a higher order precision, however, this yields to an overvaluation of the price as _price is expected to return up to 8 decimal places in precision.
Recommendation:
We advise the multiplication to be with 1e8 to report proper values back to the querior of the price.
Alleviation:
After discussing with the Rari team, the underlying oracles report back prices in differing granularity thus causing the calculations to yield correct results. ETH-based oracle prices are returned with 18 decimal places, BTC-based oracle prices are returned with 8 decimal places and USD-based oracle prices are returned with 8 decimal places as well although those are actually offset due to the multiplication and division occurring within the _price function. We still urge the Rari team to confirm all initialized price feeds are compliant with this assumption as it can lead to severe deviances in price measurement.
CPO-03M: Inconsistent Normalization
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations | Medium | ChainlinkPriceOracle.sol:L218 |
Description:
The price normalization applied here is inconsistent with that applied by Keep3rPriceOracle as well as the normalization that should occur in general.
Recommendation:
We advise this section to be rigorously evaluated as the current normalization system of the contract does not return the price of a single unit. For example, if the token has no decimals and a price of 1 ETH, the result of _price will be 100000000 as Chainlink as 8 decimals of precision and the final result will be 1e8 multiplied by 1e18 yielding an 1e26 price in Ether which does not make sense.
Alleviation:
The Rari team has stated the intended normalization to indeed result in a final integer scaled by 1e(36 - underlyingDecimals) as that is what Compound expects. Thus, this exhibit can be considered void.