Closed c4-bot-10 closed 6 months ago
0xRobocop marked the issue as primary issue
0xRobocop marked the issue as sufficient quality report
enthusiastmartin (sponsor) disputed
There is no evidence to support the warden's claim:
Thus, a hacker can take advantage of the situation and at a key moment steal a large amount of tokens because the price is outdated.
No impact demonstrated and the alternative (failing not silently) would result in the exact same system state.
OpenCoreCH marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/ema-oracle/src/lib.rs#L296-L338
Vulnerability details
Impact
The oracle will retain its previous value, leading to stale data that does not reflect the most recent market conditions. Thus, a hacker can take advantage of the situation and at a key moment steal a large amount of tokens because the price is outdated.
Proof of Concept
update_oracle()
function is used in onfinalize()
and update the oracle value:The problem is when the
update_outdated_to_current()
andupdate_to_new_by_integrating_incoming()
functions are called it is possible to fail. If this happens then the failure is silent because it is useddebug_assert!
.The function uses
unwrap_or_else
to handle potential errors when updating the oracle. If an update fails, it logs a warning message and triggers a debug assertion. Butdebug_assert!
statements have no effect in release builds. When updates fail, outdated price will continue to be used.Tools Used
Visual Studio Code
Recommended Mitigation Steps
Establish monitoring to track how long the price has been outdated.
Assessed type
Oracle