Closed code423n4 closed 2 years ago
This is expected behavior as explained in the comments. If there actually is inflation above 20% per month, then we will use governance to change out where Oracle Pass Through is pointing to, and remove or enlarge the maximum allowed deviation.
Dup #46
Lines of code
https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L52-L55 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L168-L178
Vulnerability details
Impact
For a month with 20%+ increase in CPI, VOLT oracle will revert changes to VOLT price. However infeasible, this value is not impossible and not necessarily infeasible, and therefore should be considered as if it were to occur the users would suffer from an event that VOLT is trying to protect them from. For example, in December 2021 Turkey had a CPI of 14%. Ukraine is having regular 10% months. This is not just a reality for 3rd world countries, in California gas prices increased by 21% in just February. All of this along with the world being in war tension can lead to the unlikely event of 20% change in CPI in a month.
Proof of Concept
USD having greater than 20% monthly CPI.
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider either replace 20 with a larger cap like 30, 40 or even 50, or even just allow data to be updated by 20% capped, instead of reverting.
Another option is to add a function in ScalingPriceOracle that would allow FRAX and VOLT governance to change the maximum allowed monthly CPI change along with making MAXORACLEDEVIATION mutable.