search

code-423n4 / 2022-10-inverse-findings

0 stars 0 forks source link

Hardcoded prices are subject to be abused #543

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L61

Vulnerability details

Impact

Hardcoded prices are subject to be abused which might address the protocol issuing tokens to a lower or a much higher value than they're.

Proof of Concept

The Oracle contract has a setFixedPrice function behind the admin privilege that can set an arbitrary token price to an arbitrary fixed value as below;

    function setFixedPrice(address token, uint price) public onlyOperator { fixedPrices[token] = price; }

Permalink

However, the experiences have shown us that any hardcoded price can be abused by the users/bots. Even the tokens which are set to a fixed price can be de-pegged from the prices that they're set. This will cause the protocol to lend tokens to a cheaper price which will cause inflation and abuse the system.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider canceling this functionality.

c4-sponsor commented 2 years ago

08xmt marked the issue as sponsor disputed

08xmt commented 2 years ago

It's incorrect that fixed prices can never be used safely, but correct it's unsafe for the vast majority of tokens. The fixed price oracle is purely intended for the use of lossless DOLA derivatives, that guarantee the ability to withdraw.

0xean commented 2 years ago

Downgrading to QA, sponsor has made a design choice to allow fix prices for certain functionality.

c4-judge commented 2 years ago

0xean changed the severity to QA (Quality Assurance)

c4-judge commented 2 years ago

0xean marked the issue as grade-c