search

code-423n4 / 2023-09-centrifuge-findings

16 stars 14 forks source link

The price update timestamp doesn't get checked, allowing for the use of stale prices #778

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L72 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L75 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L324-L328

Vulnerability details

Impact

It allows for the use of stale prices in cases where they will either damage the protocol or the user.

Proof of Concept

The protocol has a price oracle system where the price gets updated by an account with a privileged role by calling updatePrice().

function updatePrice(uint128 price) public auth {
    latestPrice = price;
    lastPriceUpdate = block.timestamp;
    emit UpdatePrice(price);
}

The issue arises due to lastPriceUpdate not getting used in order to make sure old prices do not get used when interacting with the protocol.

Tools Used

Manual review

Recommended Mitigation Steps

Consider implementing the following constant value:

uint256 public constant MAX_STALENESS_IN_SECONDS = 5 * 60 * 60; // 5 hours

Also add the following check before any place where latestPrice is used. 


require (block.timestamp - MAX_STALENESS_IN_SECONDS <= lastPriceUpdate, "stale price");

Assessed type

Other

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #66

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #552

c4-pre-sort commented 1 year ago

raymondfam marked the issue as sufficient quality report

c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Invalid