search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

fToken and cToken can be associated with the same address in Ondo Oracle #267

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracle.sol#L92-L99 https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracleV2.sol#L194-L220

Vulnerability details

Impact

When Owner of Ondo Price Oracle contracts attempts to associate the custom fToken with an external cToken, it is possible to use the same address for both tokens. such that fTokenToCToken[fToken] is fToken address itself. There is no check to ensure fToken != cToken

This could lead to Oracle returning price of fToken instead of the cToken in the call to getUnderlyingPrice()

Proof of Concept

  1. In OndoPriceOracle contract, owner could call setFTokenToCToken() function with the same address https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracle.sol#L92-L99
  2. Assume contractA is a fToken and owner calls setFTokenToCToken() with contractA as fToken == cToken
  3. The check in line 120 - 121 in _setFTokenToCToken() would pass.
  4. fTokenToCToken[fToken] will be contractA
  5. the call for getUnderlyingPrice() would return the price for the fToken instead of the cToken.

Tools Used

Manual

Recommended Mitigation Steps

Add an additional line in the functions to ensure fToken address is not equals to cToken address.

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2023-01-ondo-findings/issues/273

c4-judge commented 1 year ago

trust1995 marked the issue as grade-b