search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

`OracleHelper.sol#_validateAnswer` function may not return the exact price of the token. #222

Closed c4-bot-4 closed 5 months ago

c4-bot-4 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseOracleHub/OracleHelper.sol#L131-L174

Vulnerability details

Impact

The exact token price may not be returned.In OracleHelper.sol#_validateAnswer function, the price of the token was obtained from chainlink and uniswap twap, but ultimately only the price of chainlink was returned. Since uniswap twapwas not used in the resulting price calculation, the token price may be inaccurate.

Proof of Concept

'OracleHepler.sol#_validateAnswer'function is as follows.

    function _validateAnswer(
        address _tokenAddress
    )
        internal
        view
        returns (uint256)
    {
        UniTwapPoolInfo memory uniTwapPoolInfoStruct = uniTwapPoolInfo[
            _tokenAddress
        ];

        uint256 fetchTwapValue;

        if (uniTwapPoolInfoStruct.oracle > ZERO_ADDRESS) {
            fetchTwapValue = latestResolverTwap(
                _tokenAddress
            );
        }
149:
150:    uint256 answer = _getChainlinkAnswer(
151:        _tokenAddress
        );

        if (tokenAggregatorFromTokenAddress[_tokenAddress] > ZERO_AGGREGATOR) {
            _compareMinMax(
                tokenAggregatorFromTokenAddress[_tokenAddress],
                int192(uint192(answer))
            );
        }

        if (fetchTwapValue > 0) {

            uint256 relativeDifference = _getRelativeDifference(
                answer,
                fetchTwapValue
            );

            _compareDifference(
                relativeDifference
            );
        }

173:    return answer;
    }

As you can see in 'L149-L151' and 'L173', only the chainlink price is returned in the function.

Tools Used

Manual Review

Recommended Mitigation Steps

Modify the OracleHelper.sol#_validateAnswer function as follows.

    function _validateAnswer(
        address _tokenAddress
    )
        internal
        view
        returns (uint256)
    {
        UniTwapPoolInfo memory uniTwapPoolInfoStruct = uniTwapPoolInfo[
            _tokenAddress
        ];

        uint256 fetchTwapValue;

        if (uniTwapPoolInfoStruct.oracle > ZERO_ADDRESS) {
            fetchTwapValue = latestResolverTwap(
                _tokenAddress
            );
        }

        uint256 answer = _getChainlinkAnswer(
            _tokenAddress
        );

        if (tokenAggregatorFromTokenAddress[_tokenAddress] > ZERO_AGGREGATOR) {
            _compareMinMax(
                tokenAggregatorFromTokenAddress[_tokenAddress],
                int192(uint192(answer))
            );
        }

        if (fetchTwapValue > 0) {

            uint256 relativeDifference = _getRelativeDifference(
                answer,
                fetchTwapValue
            );

            _compareDifference(
                relativeDifference
            );
        }

--        return answer;
++        return (answer + fetchTwapValue) / 2:
    }

Assessed type

Other

GalloDaSballo commented 5 months ago

Seems to be an opinion more so than a valid finding

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as primary issue

trust1995 commented 5 months ago

Well documented behavior of WISE, closing as a recommendation submitted for High.

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Overinflated severity