Vulnerabilities

Oracle Decimal Mismatch

Oracle decimal mismatch happens when code scales an oracle answer with the wrong decimal precision.

Oracle decimal mismatch means the price is right, but the contract reads the number at the wrong scale.

Oracle Decimal Mismatch Explained in Detail

Oracle answers have their own decimal precision. Token amounts also have token decimals. Mixing these scales incorrectly can overvalue or undervalue assets by powers of ten.

For example, many Chainlink feeds use 8 decimals, but not every feed does.

Smart contract example

uint8 feedDecimals = feed.decimals();

Reading the feed precision is safer than assuming 1e8 or 1e18.

Oracle Decimal Mismatch in Auditing

Decimal bugs can create bad debt, bad liquidations, frozen markets, or unfair minting. They are common because oracle values, ERC20 amounts, and internal accounting often use different units.

Auditors trace units through every multiplication and division.

Red flags in code

  • Hardcoded 1e8 or 1e18 for all feeds.

  • Token decimals are reused as oracle decimals.

  • Two scaled values are multiplied without normalization.

  • Tests use only 18-decimal tokens and 8-decimal feeds.

  • Collateral and debt paths normalize differently.

How to test or review it

  • Test feeds with 6, 8, and 18 decimals.

  • Test tokens with 6, 8, and 18 decimals.

  • Assert final value units explicitly.

  • Check rounding direction near liquidation thresholds.

  • Review every path that converts price into token amount or USD value.

Sources