search

code-423n4 / 2022-08-olympus-findings

5 stars 4 forks source link

Missing zero value check in OlympusRange.updatePrices() will close Cushion Bond Markets. #431

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L158-L178

Vulnerability details

Impact

A missing zero value check in OlympusRange.updatePrices() sets the wall and cushion prices to 0. Due to this, anytime Operator.operate() is called, it will always close the cushion bond markets since prices are set to 0.

This is possible when a permissioned contract other than Operator contract calls RANGE.updatePrices()

Tools Used

Manual review

Recommended Mitigation Steps

A zero value check is necessary. e.g require(movingAverage_ != 0 , "zero moving average");

Oighty commented 2 years ago

There are no other contracts that call OlympusRange.updatePrices() currently and adding the check would cost additional gas. Given the system is modular with the Kernel architecture, we can update the OlympusRange contract in the future if needed.

0xean commented 1 year ago

downgrading to QA #423 is wardens QA report