c4-pre-sort
commented
1 year ago raymondfam marked the issue as sufficient quality report
Closed c4-submissions closed 1 year ago
c4-pre-sort
commented
1 year ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
1 year ago raymondfam marked the issue as duplicate of #75
c4-judge
commented
1 year ago MiloTruck marked the issue as satisfactory
Lines of code
https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/oracles/CamelotRelayer.sol#L10 https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/libraries/OracleLibrary.sol#L28
Vulnerability details
The CamelotRelayer is using the Uniswap OracleLibrary but the problem is that the function names of some functions of Camelot differ from the Uniswap function names so the library is not going to work.
When calling
OracleLibrary.consult()in the library it will then callIUniswapV3Pool(pool).observewhich can be found in the UniswapV3PoolDerivedState here however if you check the PoolDerivedState of Camelot here(this is the address of the wstETH Camelot pool) you can see that the function names are different so when callingobserve()the tx will revert because the Camelot contracts dont have this function.Impact
The CamelotRelayer wont work and the tx will always revert when
getResultWithValidity()is calledProof of Concept
https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/libraries/OracleLibrary.sol#L28
As you can see
observe()is called whenconsult()is called in the library but if you check the Camelot pool you could see thatobserve()does not exist and its calledgetTimepoints()instead.Tools Used
Manual Review
Recommended Mitigation Steps
Create a library for Camelot and use the correct function names.
Assessed type
Library