AfEth.deposit() may mint an incorrect amount of afEth.
VotiumStrategy.price() may return an incorrect price of vAfEth.
AfEth.price() may return an incorrect price of afEth.
function price() external view override returns (uint256) {
return (cvxPerVotium() * ethPerCvx(false)) / 1e18;
}
calls ethPerCvx(false) where false implies that the Chainlink response is not validated. VotiumStrategy.price() may thus return an invalid value.
VotiumStrategy.price() is used by AfEth.price() in the calculation of the price of afEth. Both of these price() are used in AfEth.deposit() to calculate the amount of afEth to mint. If the Chainlink response is invalid an incorrect amount of afEth may thus be minted, instead of reverting.
ethPerCvx(true) is used in the far less critical AfEth.depositRewards(). It should be used here as well.
Invalid Validation
The text was updated successfully, but these errors were encountered:
All reactions