search

code-423n4 / 2022-04-badger-citadel-findings

0 stars 1 forks source link

Removing Provider could lead to no provider at all #195

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/ampleforth/market-oracle/blob/5e7fd1506784f074748ab6bd5df740ca2227b14f/contracts/MedianOracle.sol#L221

Vulnerability details

Impact

When removing a provider you don't verify that there is at least one provider left. If no provider is left, then no price data can be reported.

Proof of Concept

(1) https://github.com/ampleforth/market-oracle/blob/5e7fd1506784f074748ab6bd5df740ca2227b14f/contracts/MedianOracle.sol#L221

Tools Used

hardhat test

Recommended Mitigation Steps

Add a checks on the length of the providers and revert if the length is one.

GalloDaSballo commented 2 years ago

Per the code, if we don't have enough providers we will return that the quote is not to be trusted https://github.com/ampleforth/market-oracle/blob/5e7fd1506784f074748ab6bd5df740ca2227b14f/contracts/MedianOracle.sol#L196

I fail to see vulnerability here, would like to get a broader context from the warden