`onlyOwner` Role Can Manipulate Price Oracle

[code423n4]

Handle

leastwood

Vulnerability details

Impact

The V2 LendingController.sol contract incorporates a custom oracle used to fetch the relevant price feeds for token pairs. The onlyOwner role is controlled by a modified timelock contract callable only from a single externally owned account. This role can update the price oracle at any time and as a result, update the logic of the relevant tokenPrices() queries in LendingPair.sol. It is entirely possible for this role to liquidate all users, receiving tokens for this action.

Proof of Concept

https://github.com/code-423n4/2021-09-wildcredit/blob/main/contracts/LendingPair.sol#L271-L326 https://gist.github.com/talegift/b7f50700a04f68c593ee079819f69ec2

Tools Used

Manual code review Discussions with 0xdev0

Recommended Mitigation Steps

Consider limiting the amount of power the onlyOwner role has by distributing it among multiple accounts via a multisig wallet or increasing the overall transparency of the upgrade process. If a malicious change is to be made to the LendingController.sol contract, this must be made visible to all users of the system, giving considerable time to withdraw if they disagree with the proposed change. Alternatively, a governance token could be introduced to further distribute the associated risk, allowing token holders to fully govern any changes to WildCredit's underlying protocol.

[talegift]

Owner will be set to a TimeLock.

Also, this is not a code issue. Similar to the invalid privileged access report from the last audit.

https://github.com/code-423n4/2021-07-wildcredit-findings/issues/93#issuecomment-890592171

[ghoul-sol]

works as designed, invalid