Closed c4-bot-4 closed 5 months ago
Reliant on admin mistake
GalloDaSballo marked the issue as insufficient quality report
GalloDaSballo marked the issue as remove high or low quality report
GalloDaSballo marked the issue as duplicate of #30
GalloDaSballo marked the issue as insufficient quality report
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseOracleHub/OracleHelper.sol#L94-L95
Vulnerability details
OracleHelper#_validateAnswer()
gets the price from chainlink price feed which will be relatively recent because it is provided by the most reliable aggregator through the proxy, an then runs a validity check comparing the returned price withminAnswer
andmaxAnswer
retrieved directly from the aggregator as the proxy contract does not expose those values. However chainlink updates the aggregators from time to time which can result in an update ofminAnswer
andmaxAnswer
values, and also the protocol doesn’t allow for an aggregator address update, as a resultminAnswer
andmaxAnswer
values will be deprecated and the price will no longer be in [minAnswer
,maxAnswer
] range so the call to the Oracle will always revert .Proof of Concept
Consider the following scenario :
minAnswer
andmaxAnswer
according to that .minAnswer
andmaxAnswer
which reflects the price change ._getChainlinkAnswer
still gets the relatively recent price through the proxy ._compareMinMax
gets the old values ofminAnswer
andmaxAnswer
from the deprecated aggregator when the price was high ._getChainlinkAnswer
will always be fewer thanminAnswer
and the call to OracleHub will always revert .Impact
Bad debts cannot be settled because the
paybackBadDebtForToken
function in FeeManager relies on the oracle to determine the amount received by the user. The use ofpaybackBadDebtNoReward
is highly unlikely as it lacks incentives . Also the FeeManager will no longer be able to claim fees becauseclaimWiseFees
calls_distributeIncentives
that calls_gatherIncentives
where the oracle price is also used . consequently, the protocol will become insolvent .Tools Used
Manual Review
Recommended Mitigation Steps
use the
updatedAt
value from thelatestRoundData()
function to make sure that the latest answer is recent enough for you to use it instead .Assessed type
DoS