A failure in the oracle for a single market cascades, causing failures across all markets. This obstructs the process of minting prime tokens, inhibits the initialization of markets for users, prevents updating the user's score, and halts operations within the XVSVault.
Proof of Concept
When initializing markets for users and updating their scores, the Prime.updateScores and Prime._initializeMarkets functions are triggered. These loop through all markets and invoke _calculateScore for each one:
If there's an oracle failure in one market, the entire updateScore process crashes, leaving user scores not update, even if other markets are functioning correctly.
And we can see that there are cases when 3 validation in the oracle fails, it triggers the Resilient Oracle to revert the getPrice and getUnderlyingPrice function.
In addition to that, the owner of the Prime contract cannot remove the market to fix the situation.
Furthermore, the Prime contract's owner can't eliminate the troubled market to rectify the issue. Additionally, not refreshing scores for all markets freezes XVSVault deposits and withdrawals, as XVSVault calls Prime.xvsUpdated whenever a user's XVS balance in XVSVault changes.
Tools Used
Manual
Recommended Mitigation Steps
Implement a feature that allows markets to be removed from the Prime contract.
Lines of code
https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L625-L638 https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L211-L219 https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L660 https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L872-L884
Vulnerability details
Impact
A failure in the oracle for a single market cascades, causing failures across all markets. This obstructs the process of minting prime tokens, inhibits the initialization of markets for users, prevents updating the user's score, and halts operations within the XVSVault.
Proof of Concept
When initializing markets for users and updating their scores, the
Prime.updat
eScores andPrime._initializeMarkets
functions are triggered. These loop through all markets and invoke_calculateScore
for each one:https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L625-L638
https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L211-L219
Inside
_calculateScore
, the function_capitalForScore
is called to obtain a user's capital in the market:https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L660
_capitalForScore
queries the Resilient Oracle for xvs and the underlying token's prices:https://github.com/code-423n4/2023-09-venus/blob/f60b7110297f7b273288934d648af83897bcf0b2/contracts/Tokens/Prime/Prime.sol#L872-L884
If there's an oracle failure in one market, the entire updateScore process crashes, leaving user scores not update, even if other markets are functioning correctly.
And we can see that there are cases when 3 validation in the oracle fails, it triggers the Resilient Oracle to revert the
getPrice
andgetUnderlyingPrice
function.https://github.com/VenusProtocol/oracle/blob/e85cbe2edb4bd94cf2fe9ea9a6183cd1c112d6ff/contracts/ResilientOracle.sol#L363
https://docs-v4.venus.io/risk/resilient-price-oracle#safety-measures
In addition to that, the owner of the Prime contract cannot remove the market to fix the situation.
Furthermore, the Prime contract's owner can't eliminate the troubled market to rectify the issue. Additionally, not refreshing scores for all markets freezes
XVSVault
deposits and withdrawals, as XVSVault callsPrime.xvsUpdated
whenever a user's XVS balance in XVSVault changes.Tools Used
Manual
Recommended Mitigation Steps
Implement a feature that allows markets to be removed from the Prime contract.
Assessed type
Oracle