The Oracle address settings for the PriceOracle.sol contract are not checked for ZERO Address, and will not do the expected work if the prophecy machine address is set to Zero address (which will be populated with 0 by default if not passed to the constructor).

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-notional-coop/blob/main/index-coop-notional-trade-module/contracts/protocol/PriceOracle.sol#L91 https://github.com/code-423n4/2022-06-notional-coop/blob/main/index-coop-notional-trade-module/contracts/protocol/PriceOracle.sol#L202

Vulnerability details

Impact

Detailed description of the impact of this finding.

The getPrice function of the PriceOracle contract internally calls _getPriceFromAdapters() to get the price, but does not check that the adapters are not set to Zero Address, so when the address in the adapters array is 0 addr, the price will not be fed properly.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

The getPrice function of the PriceOracle contract internally calls _getPriceFromAdapters() to get the price, but does not check that the adapters are not set to Zero Address, so when the address in the adapters array is 0 addr, the price will not be fed properly.

Tools Used

Recommended Mitigation Steps

for & require()

[ckoopmann]

This contract is not in scope for the contest.