Uniswap v3 observe call can revert and block the entire protocol for a period of time

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/UniswapOracleLibrary.sol#L59

Vulnerability details

Impact

I am leaving this for context: https://github.com/Uniswap/v3-periphery/issues/246

The observe call should be wrapped in a try-catch and be handled properly.

There is a good chance if in the future this function call is made with smaller pools that it will keep reverting for an unknown period and block bridge withdrawalFeePct() or block every main protocol function that uses getOraclePrice() when there is a price deviation.

Tools Used

Manual Review

Recommended Mitigation Steps

Wrap the call in a try-catch and handle the case accordingly if it reverts.

Assessed type

Oracle

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as primary issue

[raymondfam]

Could have been more elaborate and informational.

[c4-sponsor]

ditto-eth marked the issue as disagree with severity

[ditto-eth]

it will be clear to the DAO long before a call becomes revertable to upgrade the oracles. additionally, if the oracle call fails, users can still withdraw up to their credit amounts (excludes yield / trade gains) in the interim before a oracle update is released

[c4-sponsor]

ditto-eth (sponsor) disputed

[c4-sponsor]

ditto-eth marked the issue as agree with severity

[hansfriese]

I agree QA is more appropriate.

[c4-judge]

hansfriese changed the severity to QA (Quality Assurance)

[c4-judge]

hansfriese marked the issue as grade-c