Open code423n4 opened 1 year ago
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-b
tom2o17 marked the issue as sponsor acknowledged
Not super concerned with having the price expire. This manual setting of the oracle price is really only intended to be used wrt to CASH token
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracle.sol#L64
Vulnerability details
Impact
Once a fixed price has been set by owner, it never expires until owner explicitly sets it to 0. This could be risky where contract might be working with an obsolete price, if Owner failed to update price timely
Proof of Concept
setPrice
functiongetUnderlyingPrice
is retrieved then price P1 will be returned for fToken F. This shows that fixed price which was set X days ago still works and never expiresRecommended Mitigation Steps
Fixed price must expire after x seconds of addition. This will prevent contract from using obsolete prices