c4-pre-sort
commented
3 months ago raymondfam marked the issue as sufficient quality report
Closed c4-bot-6 closed 3 months ago
c4-pre-sort
commented
3 months ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
3 months ago raymondfam marked the issue as duplicate of #114
raymondfam
commented
3 months ago See #114.
c4-judge
commented
3 months ago hansfriese marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L75
Vulnerability details
Impact
useing a cached oracle price (LibOracle.getPrice(p.asset)) with a 15-minute validity window to enhance the efficiency of the hint system for order placement. This design choice can lead to scenarios where the cached price does not reflect the current market conditions accurately due to volatility in the cryptocurrency markets The discrepancy between the cached oracle price and the actual market price at the time of redemption can result in unfair redemption outcomes. Proposers of redemptions might either benefit unduly or suffer losses due to the stale price information,
Proof of Concept
here is an example show the bug : Initial Cached Oracle Price: 100 Elapsed Time Since Last Oracle Update: 10 minutes (within the 15-minute cache window) Market Price: 120 Proposer's Price View: 118 (The price proposer believes to be accurate based on their information)
Tools Used
manual review
Recommended Mitigation Steps
need to add update mechanism that adjusts the frequency of oracle price updates based on observed market volatility.
Assessed type
Other