UltraVaultRateProvider Manual Review Findings

UVR-01M: Inexistent Restriction of Decimals

Type	Severity	Location
Mathematical Operations		UltraVaultRateProvider.sol:L102

Description:

The decimals of an asset are not restricted when dealing with a pegged asset, an approach that may result in an overflow or underflow when converting between decimal denominations through the UltraVaultRateProvider::_convertDecimals function.

Impact:

Certain assets might result in exponential overflows if their decimal differs greatly from that of the base asset's.

Example:

Copy
88/// @inheritdoc IUltraVaultRateProvider
89function addAsset(address asset, bool isPegged, address rateProvider) external onlyOwner {
90    // Checks
91    AssetData memory data = supportedAssets(asset);
92    require(!data.isPegged && data.rateProvider == address(0), AssetAlreadySupported());
93    if (isPegged) {
94        require(rateProvider == address(0), InvalidRateProvider());
95    } else {
96        require(rateProvider != address(0), InvalidRateProvider());
97    }
98
99    // Update storage
100    _getStorage().supportedAssets[asset] = AssetData({
101        isPegged: isPegged,
102        decimals: IERC20Metadata(asset).decimals(),
103        rateProvider: rateProvider
104    });
105
106    // Emit events
107    emit AssetAdded(address(asset), isPegged);
108    if (!isPegged) {
109        emit RateProviderUpdated(address(asset), rateProvider);
110    }
111}

Recommendation:

We advise a restriction to be imposed on the maximum delta between the base asset and the introduced asset, ensuring that the power operations do not result in an overflow that prohibit conversions from being properly calculated.

Alleviation (28f27853965de07fb79f4f2b5fed696d35120032):

The code was revised to always sanitize the _decimals of an asset being included in the system, ensuring they comply by they are within the [6,18] value range and thus do not result in an abnormal exponent.