search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

No error handling and fallback feeds for Chainlink oracle calls in Pendle wrappers #168

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PendleLpOracle.sol#L88-L93 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PtOracleDerivative.sol#L86-L98 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PtOracleDerivative.sol#L86-L98 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PtOraclePure.sol#L73-L79 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PendleLpOracle.sol#L63 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PtOracleDerivative.sol#L49-L53 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PtOraclePure.sol#L46-L48 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/DerivativeOracles/PendleChildLpOracle.sol#L15

Vulnerability details

Impact

Inability to use and access funds from contracts dependent on the Chainlink oracles. Affected are primarily the power farm related contracts.

Proof of Concept

Calls to Chainlink oracles may revert and cause a DOS on the dependent contracts. Chainlink can decide to block access to particular feeds whenever needed. During the downtime, users won't be able to access their funds.

The feeds are also immutable in PendleLpOracle, PtOracleDerivative, PtOraclePure, and PendleChildLpOracle making it impossible to change if a potential DOS occurs.

Tools Used

Manual Review

Recommended Mitigation Steps

It's recommended that the potential errors from Chainlink are handled properly on an error-by-error basis and a fallback oracle is used to let users interact with their funds.

Assessed type

Oracle

GalloDaSballo commented 6 months ago

I think this falls as OOS as known

From README:

Also excluded are secondary centralization effects

c4-pre-sort commented 6 months ago

GalloDaSballo marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as primary issue

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Out of scope