Omniscia Swisscoast Audit

SupraCaller Manual Review Findings

SCR-01M: Improper Handling of Decimals

Type	Severity	Location
Logical Fault		SupraCaller.sol:L59

Description:

The SupraCaller::_scalePriceByDigits function expects the Supra oracle decimals to always be less-than-or-equal-to 8 which is incorrect.

Impact:

The SupraCaller::_scalePriceByDigits function will be unable to scale prices properly due to multiplication overflows that would result from an overflown 8 - decimals exponent.

Example:

packages/contracts/contracts/Dependencies/SupraCaller.sol

58function _scalePriceByDigits(uint _price, uint decimals) internal pure returns (uint) {
59    return _price.mul(10**(8 - decimals));
60}

Recommendation:

We advise the system to properly handle decimals that are either greater-than or lower-than 8 by performing a division or multiplication respectively.

Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):

The SupraCaller::_scalePriceByDigits function was updated to handle all types of input _decimals, alleviating this exhibit.

SCR-02M: Incorrect Accuracy of Yielded Value

Type	Severity	Location
Mathematical Operations		SupraCaller.sol:L47

Description:

The SupraCaller::getSupraCurrentValue function will yield a value with 1e16 accuracy instead of the expected 1e8 accuracy by the HLiquity system.

Impact:

Functions such as BorrowerOperations::_getUSDValue will yield significantly higher values, causing the HCHF token to be minted at abnormal amounts and thus to be devalued in relation to its "real" decimals.

Example:

packages/contracts/contracts/Dependencies/SupraCaller.sol

31function getSupraCurrentValue(uint256 _priceIndexHBARUSD, uint256 _priceIndexUSDCH)
32external
33view
34override
35returns (
36    bool ifRetrieve,
37    uint256 value,
38    uint256 _timestampRetrieved
39)
40{
41    (uint256 roundHBARUSD, uint256 decimalsHBARUSD, uint256 _timeHBARUSD, uint256 _priceHBARUSD) = supra.getSvalue(_priceIndexHBARUSD);
42    (uint256 roundUSHCHF, uint256 decimalsUSHCHF, uint256 _timeUSHCHF, uint256 _priceUSHCHF) = supra.getSvalue(_priceIndexUSDCH);
43
44    uint256 basePriceHBARUSD = _scalePriceByDigits(_priceHBARUSD, decimalsHBARUSD);
45    uint256 basePriceUSHCHF = _scalePriceByDigits(_priceUSHCHF, decimalsUSHCHF);
46
47    uint256 hbarChfPrice = basePriceHBARUSD * basePriceUSHCHF;
48
49    uint256 publishTime = _timeHBARUSD < _timeUSHCHF ? _timeHBARUSD : _timeUSHCHF;
50
51    if (hbarChfPrice > 0) {
52        uint256 positiveValue = hbarChfPrice;
53        return (true, positiveValue, publishTime);
54    }
55    return (false, 0, publishTime);
56}

Recommendation:

We advise the result of the referenced multiplication to be divided by 1e8, ensuring its accuracy is normalized.

Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):

The yielded price is properly divided by 1e8 as advised, ensuring the accuracy of the SupraCaller matches the one expected by the HLiquity system.

Omniscia Swisscoast Audit

SupraCaller Manual Review Findings

SupraCaller Manual Review Findings

SCR-01M: Improper Handling of Decimals

Description:

Impact:

Example:

Recommendation:

Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):

SCR-02M: Incorrect Accuracy of Yielded Value

Description:

Impact:

Example:

Recommendation:

Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):

PythCaller.sol (PCR-M)

TokenScript.sol (TST-M)

On this page