The Oracle address settings for the PriceOracle.sol contract are not checked for ZERO Address, and will not do the expected work if the prophecy machine address is set to Zero address (which will be populated with 0 by default if not passed to the constructor). #174
Detailed description of the impact of this finding.
The getPrice function of the PriceOracle contract internally calls _getPriceFromAdapters() to get the price, but does not check that the adapters are not set to Zero Address, so when the address in the adapters array is 0 addr, the price will not be fed properly.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
The getPrice function of the PriceOracle contract internally calls _getPriceFromAdapters() to get the price, but does not check that the adapters are not set to Zero Address, so when the address in the adapters array is 0 addr, the price will not be fed properly.
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/main/index-coop-notional-trade-module/contracts/protocol/PriceOracle.sol#L91 https://github.com/code-423n4/2022-06-notional-coop/blob/main/index-coop-notional-trade-module/contracts/protocol/PriceOracle.sol#L202
Vulnerability details
Impact
Detailed description of the impact of this finding.
The getPrice function of the PriceOracle contract internally calls _getPriceFromAdapters() to get the price, but does not check that the adapters are not set to Zero Address, so when the address in the adapters array is 0 addr, the price will not be fed properly.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
The getPrice function of the PriceOracle contract internally calls _getPriceFromAdapters() to get the price, but does not check that the adapters are not set to Zero Address, so when the address in the adapters array is 0 addr, the price will not be fed properly.
Tools Used
Recommended Mitigation Steps
for & require()