Closed code423n4 closed 1 year ago
There are no other contracts that call OlympusRange.updatePrices()
currently and adding the check would cost additional gas. Given the system is modular with the Kernel architecture, we can update the OlympusRange contract in the future if needed.
downgrading to QA #423 is wardens QA report
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L158-L178
Vulnerability details
Impact
A missing zero value check in OlympusRange.updatePrices() sets the wall and cushion prices to 0. Due to this, anytime Operator.operate() is called, it will always close the cushion bond markets since prices are set to 0.
This is possible when a permissioned contract other than Operator contract calls RANGE.updatePrices()
Tools Used
Manual review
Recommended Mitigation Steps
A zero value check is necessary. e.g
require(movingAverage_ != 0 , "zero moving average");