Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

rvierdiiev - Vault_Velo will stop working with collateral if oracle in DepositReceipt_USDC or DepositReceipt_ETH will stop working #59

Closed
github-actions bot opened this issue Dec 11, 2022 · 2 comments
Closed

rvierdiiev - Vault_Velo will stop working with collateral if oracle in DepositReceipt_USDC or DepositReceipt_ETH will stop working #59

github-actions bot opened this issue Dec 11, 2022 · 2 comments
Labels
Low/Info Non-Reward Sponsor Confirmed

Comments

@github-actions
Copy link

rvierdiiev

medium

Vault_Velo will stop working with collateral if oracle in DepositReceipt_USDC or DepositReceipt_ETH will stop working

Summary

Vault_Velo will stop working with collateral if oracle in DepositReceipt_USDC or DepositReceipt_ETH will stop working

Vulnerability Detail

DepositReceipt_USDC and DepositReceipt_ETH contracts depend on oracle to get their deposited amount prices.
They use chain link oracles which are provided during contract creation.
In case if smth will happen with any oracle and it will nor be working anymore then DepositReceipt_USDC and DepositReceipt_ETH contracts do not have ability to set new oracle.
And as a result Vault_Velo will stop working with that collateral and no one will be able to close their loan, because Vault_Velo will be reverting when it tries to calculate deposited nft amount, because DepositReceipt_Base.getOraclePrice will be always reverting.

Impact

No one will be able to close their loan and will lose collateral.

Code Snippet

https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Velo.sol#L555
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Velo.sol#L209-L212
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Velo-Deposit-Tokens/contracts/DepositReceipt_USDC.sol#L60
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Velo-Deposit-Tokens/contracts/DepositReceipt_USDC.sol#L90
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Velo-Deposit-Tokens/contracts/DepositReceipt_Base.sol#L164-L181

Tool used

Manual Review

Recommendation

Add ability to change oracle address for both contracts.
@kree-dotcom
Copy link

I have confirmed that what the auditor states is true. However I think this is acceptable within the threat model of the protocol. Unless a good example of why an oracle should stop working is given (can we reach out to the auditor for a better example?) this seems like a very vague and wide reaching problem. Many other protocols rely on Chainlink oracles and equally would break if these stopped working. For example the Lyra and Synthetix systems also both rely on Chainlink oracles (though I have not checked if they have the ability to alter these as the user has advised here).

@hrishibhat
Copy link
Contributor

In case if smth will happen with any oracle and it will nor be working anymore

Making this issue a low based on the above comment as there is not clear example of how the issue would occur.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Low/Info Non-Reward Sponsor Confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @kree-dotcom @sherlock-admin