ElliotFriedman
commented
2 years ago Price can never be out of date on the OraclePassThrough or ScalingPriceOracle.
Closed code423n4 closed 2 years ago
ElliotFriedman
commented
2 years ago Price can never be out of date on the OraclePassThrough or ScalingPriceOracle.
jack-the-pug
commented
2 years ago It's hard to tell if this is a real issue as the actual implementation contract is out of scope. I'll make it invalid.
ElliotFriedman
commented
2 years ago the update() function on the oracle pass through does nothing, so this is not a valid issue.
Lines of code
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/oracle/IOracle.sol#L21
Vulnerability details
Impact
Throughout the protocol, oracles are relied upon to keep Volt stable, calculate payouts to users, and judge whether actions are eligible to be carried out. On the NonCustodialPSM contract, oracle is updated with the updateOracle function. However, there is no check is implemented if the price is out-of-date.
Proof of Concept
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/oracle/IOracle.sol#L21
Tools Used
Code Review
Recommended Mitigation Steps
Ensure that all related oracle function implements protection mechanism If the price is out-of-dated.