search

code-423n4 / 2022-08-olympus-findings

5 stars 4 forks source link

The system can only support one reserve asset #427

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Heart.sol#L73

Vulnerability details

Impact

The system currently cannot have multiple oracles, so cannot implement multiple RANGE and work properly in its current form.

There is an incoherence between the TRSRY which is made for multiple reserve assets and the other modules like PRICE or RANGE

Proof of Concept

In the PRICE module it is stated: “The Olympus Price Oracle contract provides a standard interface for OHM price data against a reserve asset.”, and the PRICE module only support one oracle. It is therefore expected that the system supports multiple PRICE module: 1 per reserve asset.

But in OlympusHeart.sol, line 73 we got: PRICE = OlympusPrice(getModuleAddress(dependencies[0]));, so allHeart` policy will support the same oracle, which is not the intended behavior.

The same kind of things works for the RANGE module

Recommended Mitigation Steps

Change the keyCode system to allow for multiple reserve assets

Oighty commented 2 years ago

The initial Range-Bound Stability system (PRICE, RANGE, Operator, Heart) is only designed for one reserve asset. The Kernel architecture is designed to allow updates to the system over time. The Treasury will support multiple reserves assets initially, but only one of them will be used for RBS. In the future, it may be updated to support multiple.

0xean commented 2 years ago

downgrading to QA - dupe of #425