admin can rug by setting a malicious oracle

[code423n4]

Lines of code

https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/pricing/OracleRegistry.sol#L31

Vulnerability details

the admin can set a malicious oracle, and set the prices in such way that would allow him to make profit on his options, therefore allowing them to drain the protocol

[quantizations]

When creating a QToken it is attached to an oracle. The addition of a malicious oracle doesn't impact existing QTokens. At worst, a malicious oracle can be added and then someone would have to be sold worthless QTokens or forced to mint them and trade them. Collateral is isolated per oracle so only users who fell for the attack will be impacted.

Disputing as it is unreasonable to assume all governance is malicious.

[alcueca]

Agree with the sponsor.