Open c4-bot-9 opened 8 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
This is not an issue as the contract is deployed with non zero price feeds and checked at the time of deployment.
This report shows how the initial deployer could misconfigure the system to exploit it later, either by using an address(0), either as there is initially no cooldown. As it falls within centralization risk and misconfiguration issues I'll downgrade to QA.
Picodes marked the issue as satisfactory
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L37-L44 https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L50-L51 https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L122-L123 https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L151-L158
Vulnerability details
Impact
The
PriceAggregator.setInitialFeeds
function is used to set the initial price feeds and only be called by the owner. And this function can only be called once by theowner
as it is depicted in the following conditional check.And if the
owner
needs to change the priceFeeds there after he will have to call thePriceAggregator.setPriceFeed
function which has aprice modification cool down period
implemented. This is why thesetInitialFeeds
is implemented as a function that can be called only once.And the way the
priceAggregator._aggregatePrices
function works, even two price feeds will be enough for the price aggregator to work properly since the following condition will be bypassed with two valid price feeds.Hence the
owner
can callPriceAggregator.setInitialFeeds
function multiple times to change thepriceFeed2 and priceFeed3
as he needs without complementing theprice modification cool down period
.Let's consider the following scenario:
PriceAggregator.setInitialFeeds
function withpriceFeeds1 == address(0)
and provides valid price feed addresses to_priceFeed2 and _priceFeed3
.priceFeed1
will remain== address(0)
.require( address(priceFeed1) == address(0), "setInitialFeeds() can only be called once" )
check to call thePriceAggregator.setInitialFeeds
function to change thepriceFeed2 and priceFeed3
as he wishes without complementing theprice modification cool down period
priceFeed1 being address(0)
the price aggregator will work fine since call to the priceFeed1 (in the PriceAggregator._getPriceBTC and priceAggregator._getPriceETH functions) is performed in atry-catch
block and as a result the call to address(0) will not revert the transaction.priceAggregator
contract to work properly.Hence if the
owner
requires he can decide to keep on changing thepriceFeed2 and priceFeed3
as he needs with out complementing the price modification cool down period. This will make thePriceAggregator.setPriceFeed
function less useful since its price modification cool down period implementation can be bypassed by theowner
easily, to change the priceFeeds as the owner wishes. And furthermore this should not be considered as aadmin mistake
since thePriceAggregator.setInitialFeeds
function is designed in such a way that even theowner
is not allowed to call the function more than once. This vulnerability clearly shows how the owner can call thePriceAggregator.setInitialFeeds
function to change thepriceFeeds2 and priceFeeds3
multiple times contrary to what the function is designed to do.Note : Even though the
L1 or the automated report
statesUser facing functions should have address(0) checks
it does not mention this exact vulnerability and the impact of it.Proof of Concept
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L37-L44
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L50-L51
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L122-L123
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/PriceAggregator.sol#L151-L158
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to implement an address(0) check for the
_priceFeed1
address in thePriceAggregator.setInitialFeeds
function such that the transaction will revert if theaddress(0)
is passed in as the_priceFeed1
. This will ensure that the_priceFeed1
is set to a non-zero value and thePriceAggregator.setInitialFeeds
can only be called once as a result.Assessed type
Invalid Validation