Closed c4-bot-3 closed 5 months ago
Unclear to me whether the check should be done there, or is done somewhere else
GalloDaSballo marked the issue as sufficient quality report
GalloDaSballo marked the issue as primary issue
trust1995 marked the issue as satisfactory
trust1995 marked the issue as selected for report
trust1995 removed the grade
trust1995 marked the issue as not selected for report
The submission is incoherent, will scrap unless it is made more clear.
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseOracleHub/OracleHelper.sol#L270
Vulnerability details
Details
According to the project description, wiselending would be launched on both eth mainnet and arbitrum chains. The chainlink pricefeed in
OracleHelper
validates the chainlink price to ensure it does not return stale price through the_chainlinkIsDead
function. Additionally, it also does the check for sequencer uptime if on arbitrum chain through a separate functionsequencerIsDead
. It then combines both checks in theWiseOracleHub.chainlinkIsDead
function. The_chainlinkIsDead
validation is used withinOracleHelper.getETHPriceInUSD
which returns the price of ETH in USD.This function is then used in
WiseOracleHub.getTokensPriceInUSD
andWiseOracleHub.getTokensPriceFromUSD
. The issue comes in because using just the_chainlinkIsDead
function to get eth price in OracleHelper does not consider whether the current chain is arbitrum.Impact
A user on arbitrum who calls the
OracleHelper.getEthPrice
and the other functions which rely on this includingWiseOracleHub.getTokensPriceInUSD
andWiseOracleHub.getTokensPriceFromUSD
either directly or through usage of the protocol may falsely assume that the price it returns is validated on the arbitrum chain although the arbitrum sequencer may be dead. This can also impact other aspects of the protocol as well as any other external protocols which may rely on the data from these functions as these are potentially very important functions.Proof of Concept
If the user who calls these functions is on arbitrum, they would get an answer which have not passed through the sequencer validation on the arbitrum chain. There may be an assumption that only users on eth mainnet would call these functions, however, this is not explicitly stated or dissallowed.
Tools Used
Manual review
Recommended Mitigation Steps
chainlinkIsDead
andsequencerIsDead
functions in the OracleHelper.getETHPriceInUSD`.Assessed type
Oracle