search

code-423n4 / 2024-01-opus-findings

0 stars 0 forks source link

Prices used may be outdated or inaccurate #15

Closed c4-bot-2 closed 8 months ago

c4-bot-2 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/external/pragma.cairo#L123-L124

Vulnerability details

Impact

Prices used may be outdated or inaccurate

Proof of Concept

In the set_price_validity_thresholds function, new thresholds (new_thresholds) are established, where freshness and sources must fall within the range defined by hardcoded constants.

    const LOWER_FRESHNESS_BOUND: u64 = 60; // 1 minute
    const UPPER_FRESHNESS_BOUND: u64 = consteval_int!(4 * 60 * 60); // 4 hours * 60 minutes * 60 seconds
    const LOWER_SOURCES_BOUND: u32 = 3;
    const UPPER_SOURCES_BOUND: u32 = 13;

However, during initialization, there are no constraints imposed on these values, which may result in the initialized values not adhering to the predefined constant ranges. Consequently, this could lead to the retrieval of prices that are potentially outdated or inaccurate. Additionally, within the Seer mod, there is a similar issue with the setting of update_frequency.

        fn set_update_frequency(ref self: ContractState, new_frequency: u64) {
            self.access_control.assert_has_role(seer_roles::SET_UPDATE_FREQUENCY);
            assert(
                LOWER_UPDATE_FREQUENCY_BOUND <= new_frequency && new_frequency <= UPPER_UPDATE_FREQUENCY_BOUND,
                'SEER: Frequency out of bounds'
            );

            let old_frequency: u64 = self.update_frequency.read();
            self.update_frequency.write(new_frequency);
            self.emit(UpdateFrequencyUpdated { old_frequency, new_frequency });
        }

Tools Used

vscode

Recommended Mitigation Steps

It is recommended to also check in the constructor function whether freshness and sources, update_frequency fall within the range of the hardcoded constants.

Assessed type

Oracle

c4-pre-sort commented 9 months ago

bytes032 marked the issue as insufficient quality report

alex-ppg commented 8 months ago

The Warden specifies misbehavior that may arise from misconfiguring the contracts during their deployment; such findings cannot constitute HM vulnerabilities per the relevant SC verdict.

c4-judge commented 8 months ago

alex-ppg marked the issue as unsatisfactory: Invalid