Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

priceFeed1 in pegOracle is not checked for sanity #131

Closed
code423n4 opened this issue Sep 17, 2022 · 3 comments
Closed

priceFeed1 in pegOracle is not checked for sanity #131

code423n4 opened this issue Sep 17, 2022 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists old-submission-method partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/oracles/PegOracle.sol#L63

Vulnerability details

Impact

priceFeed1 is called directly, instead of through getOracle1_Price, thus missing assurance checks. for example, price1<=0 is not reverted. This may result in unexpected behavior.

Proof of Concept

https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/oracles/PegOracle.sol#L63

Tools Used

Recommended Mitigation Steps

  1. merge getOracle1_Price() and getOracle2_Price() to take in an oracleIndex:
    getOracle_Price(uint256 oracleIndex)
  2. let getOracle_Price return other items as well:
    getOracle_Price(uint256 oracleIndex) returns (uint80 roundID, int256 price, uint256 timeStamp, uint80 answeredInRound)
  3. apply decimal adjustment inside of this function, so both priceFeeds are adjusted properly.
  4. used getOracle_Price(0) and getOracle1_Price(1) to get the correct priceFeeds.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working old-submission-method labels Sep 17, 2022
code423n4 added a commit that referenced this issue Sep 17, 2022
@code423n4
datapunk issue #131
292dc14
@MiguelBits MiguelBits mentioned this issue Sep 21, 2022
Closed
@MiguelBits MiguelBits added the duplicate This issue or pull request already exists label Sep 23, 2022
@0xnexusflip 0xnexusflip added resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Sep 28, 2022
@MiguelBits MiguelBits removed the duplicate This issue or pull request already exists label Oct 3, 2022
@HickupHH3
Copy link
Collaborator

partial credit. the keyword i'm looking for is stale prices. while negative prices are a possibility, it's arguably more unlikely to happen compared to staleness.

@HickupHH3
Copy link
Collaborator

dup of #61

@HickupHH3 HickupHH3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) duplicate This issue or pull request already exists and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Oct 17, 2022
@HickupHH3
Copy link
Collaborator

realise that the <= 0 check is done in the Factory. Hence, further reducing the partial credit given (not entirely invalidating because of the <= 0 check is arguably better placed in the PegOracle).

@HickupHH3 HickupHH3 added partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) and removed partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) labels Oct 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists old-submission-method partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MiguelBits @code423n4 @HickupHH3 @0xnexusflip