The accidental usage of address in the setAdmin (lines 175-181 in ChainlinkOracle.sol) in ChainlinkOracle.sol function would prevent the use of onlyAdmin() in the functions setUnderlyingPrice, setDirectPrice and setFeed. This would lead to a critical impact on the system if any of the functions setDirectPrice or setUnderlyingPrice must be executed at times of critical economical events or oracle malfunction, or a particular Chainlink feed address becomes obsolete or malfunctions.
Having a functions like setUnderlyingPrice and setDirectPrice supposes a critical economical and technical events to be mitigated with manually setting the price of an assets by the admin. Consequently setting the admin must executed with great precision with the help of a two-step battle-tested process.
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L173
Vulnerability details
Impact
The accidental usage of address in the
setAdmin
(lines 175-181 in ChainlinkOracle.sol) in ChainlinkOracle.sol function would prevent the use of onlyAdmin() in the functionssetUnderlyingPrice
,setDirectPrice
andsetFeed
. This would lead to a critical impact on the system if any of the functionssetDirectPrice
orsetUnderlyingPrice
must be executed at times of critical economical events or oracle malfunction, or a particular Chainlink feed address becomes obsolete or malfunctions.Proof of Concept
Having a functions like
setUnderlyingPrice
andsetDirectPrice
supposes a critical economical and technical events to be mitigated with manually setting the price of an assets by the admin. Consequently setting the admin must executed with great precision with the help of a two-step battle-tested process.Tools Used
Manual VS code
Recommended Mitigation Steps
Integrate two-step transferring ownership process.
Assessed type
Governance