search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

Fixed price never expires #310

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracle.sol#L64

Vulnerability details

Impact

Once a fixed price has been set by owner, it never expires until owner explicitly sets it to 0. This could be risky where contract might be working with an obsolete price, if Owner failed to update price timely

Proof of Concept

  1. Owner sets fixed price P1 for fToken F using setPrice function
function setPrice(address fToken, uint256 price) external override onlyOwner {
    uint256 oldPrice = fTokenToUnderlyingPrice[fToken];
    fTokenToUnderlyingPrice[fToken] = price;
    emit UnderlyingPriceSet(fToken, oldPrice, price);
  }
  1. After X days, if the getUnderlyingPrice is retrieved then price P1 will be returned for fToken F. This shows that fixed price which was set X days ago still works and never expires
function getUnderlyingPrice(
    address fToken
  ) external view override returns (uint256) {
    if (fTokenToUnderlyingPrice[fToken] != 0) {
      return fTokenToUnderlyingPrice[fToken];
    } else {
      ...
    }
  }

Recommended Mitigation Steps

Fixed price must expire after x seconds of addition. This will prevent contract from using obsolete prices

c4-judge commented 1 year ago

trust1995 changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

trust1995 marked the issue as grade-b

c4-sponsor commented 1 year ago

tom2o17 marked the issue as sponsor acknowledged

tom2o17 commented 1 year ago

Not super concerned with having the price expire. This manual setting of the oracle price is really only intended to be used wrt to CASH token