code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

Chain ID Is Not Resistant To Hard Fork and Other Token Supports In The Oracle Contract #37

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/oracle/ScalingPriceOracle.sol#L85

Vulnerability details

Impact

During the code review, It has been observed only the following chain ids are supported for the chainlink. (1 and 42 - https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/oracle/ScalingPriceOracle.sol#L84) The contracts are not upgradeable therefore If there is any hard fork or new chain support, the contract should be deployed again with supported chain id.

Proof of Concept

Navigate to the following contract line.

https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/oracle/ScalingPriceOracle.sol#L84

Chain ids are hardcoded.

Tools Used

Code Review

Recommended Mitigation Steps

Ensure that the code is tamper resistant when the hard-fork or new chain is supported.

ElliotFriedman commented 2 years ago

This is not an issue because the only reason the chainid is checked is to determine if the chainlink token is needed. If we deploy this contract and ethereum changes its chainid later, assuming the chainlink token address stayed constant which is the most likely outcome, there would be no impact.