Return to site
Return to site

Bug Deep Dive #13

Price cannot be represented when a high-value base asset is quoted in a high-decimal asset - $3318

· Bug Deep Dive
Section image

A design flaw in the DEX's price representation logic can render certain trading pairs non-functional. The internal price calculation for pairs where a high-value base asset is quoted in a high-decimal asset (e.g., WBTC/DAI) can exceed the maximum value of the Udec128_24 type used for storage. This causes transactions to fail, effectively creating a denial of service for that market.
Readme:

The DEX contract is intended to work with tokens with >= 0 and <=18 decimal places (ie, issues related to the token having >=0 and <=18 decimals can be considered valid and in scope) and prices as low as 0.00001 USD (an example of this would be the SHIB token).

The internal price is stored as a Price, which is a type alias for Udec128_24. This is a 128-bit unsigned number with 24 fixed decimal places. Its maximum representable value is (2^128 - 1) / 10^24, which is approximately 3.4e14.

The DEX converts human-readable prices into an internal format by scaling them based on the decimal counts of the two tokens involved:

Internal Price = Nominal Price * (Base Unit of Base Token / Base Unit of Quote Token)

The issue is that for certain valid pairs under the README's definition, this scaling formula produces a result that overflows the Udec128_24 limit. A concrete example is the WBTC/DAI pair.

  • Pair: WBTC (base) vs. DAI (quote)
  • Nominal Price: 1 BTC = $110,000 DAI
  • Decimals:
    • WBTC (base_decimals): 8
    • DAI (quote_decimals): 18
  • Internal Price = 110,000 * 1e-8 / 1e-18
  • Internal Price = 110,000 * 10^(18 - 8)
  • Internal Price = 110,000 * 10^10
  • Internal Price = 1.1e15

This calculated Internal Price of 1.1e15 is substantially larger than the maximum representable value of ~3.4e14. The price itself cannot be stored, leading to an arithmetic overflow.

This failure directly contradicts the README's promise to support all tokens with 0 to 18 decimals, as this common and realistic pair is fundamentally incompatible.

Alpha: make sure to check if all the variables and math operations work with all tokens in the readme. Low decimal variables should raise questions.

Conclusion

This finding would earn you $3318, and again, can be come up essentially by adding to your check list that all tokens in the readme must correctly work with the codebase.

Full Report
Codebase

Subscribe
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save