Closed c4-bot-8 closed 4 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
Could have been more elaborate and informational.
ditto-eth marked the issue as disagree with severity
it will be clear to the DAO long before a call becomes revertable to upgrade the oracles. additionally, if the oracle call fails, users can still withdraw up to their credit amounts (excludes yield / trade gains) in the interim before a oracle update is released
ditto-eth (sponsor) disputed
ditto-eth marked the issue as agree with severity
I agree QA is more appropriate.
hansfriese changed the severity to QA (Quality Assurance)
hansfriese marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/UniswapOracleLibrary.sol#L59
Vulnerability details
Impact
I am leaving this for context: https://github.com/Uniswap/v3-periphery/issues/246
The
observe call
should be wrapped in a try-catch and be handled properly.There is a good chance if in the future this function call is made with smaller pools that it will keep reverting for an unknown period and block bridge
withdrawalFeePct()
or block every main protocol function that usesgetOraclePrice()
when there is a price deviation.Tools Used
Manual Review
Recommended Mitigation Steps
Wrap the call in a try-catch and handle the case accordingly if it reverts.
Assessed type
Oracle