raymondfam
commented
1 year ago There are no gaps entailed. The new start time is lastRange.end:
Range(lastRange.end, endTimestamp, dailyInterestRate, prevClosePrice)Closed c4-submissions closed 1 year ago
raymondfam
commented
1 year ago There are no gaps entailed. The new start time is lastRange.end:
Range(lastRange.end, endTimestamp, dailyInterestRate, prevClosePrice)
c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
c4-pre-sort
commented
1 year ago raymondfam marked the issue as primary issue
c4-pre-sort
commented
1 year ago raymondfam marked the issue as duplicate of #25
c4-judge
commented
1 year ago kirk-baird marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/rwaOracles/RWADynamicOracle.sol#L45
Vulnerability details
The method allows appending new Range instances without restrictions on the gap between the end of the last range and the start of the new one. Significant gaps between these ranges can result in considerable price slippages, introducing volatility in price calculation and potentially disrupting the ecosystem.
Impact
Price Volatility: Sudden and unintended price movements can harm users and destabilize the system.
Economic Exploits: Malicious actors or informed traders might exploit these price shocks to gain undue profit.
Loss of Trust: Continuous volatility or significant price corrections can erode users' confidence in the platform.
Proof of Concept
Alice, an administrator, sets a new Range where the endTimestamp of the last range is 2023-12-15, but the new range's starting time is 2023-12-30, creating a 15-day gap.
Bob, an uninformed trader, makes a transaction based on the derived price on 2023-12-16. He is caught off guard by the price derived from the huge gap, resulting in an unexpected loss.
Carol, who was aware of the gap, leverages this information to make profitable trades at the expense of less informed users like Bob.
Over time, users like Bob become wary of the platform due to the frequent price shocks and consider moving to a more stable platform.
Tools Used
Recommended Mitigation Steps
Implement a mechanism to limit the allowable gap between consecutive ranges, ensuring smooth transitions.
Provide administrators with tools to modify or remove incorrect or harmful ranges. While it introduces a degree of centralization, it can be crucial for maintaining system stability.
Introduce an optional alert mechanism for users, notifying them of potential significant price changes due to large gaps.
Extend test cases to simulate scenarios with different gap lengths between ranges, ensuring that price derivations are smooth and within acceptable limits.
Assessed type
Other