c4-bot-1 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/457230945a49878eefdc1001796b10638c1e7584/src/V3Oracle.sol#L329-L343

Vulnerability details

The chainlink best practices for ETF and Forex feeds mentioned this :

Assets on the Forex (Foreign Exchange) markets are traded only during defined market hours. Additionally, some currencies might trade only during local banking hours. Do not use Forex feeds outside market hours for the specific currency.

The feed used by the oracle depends on the pool in the underlying token's feeConfig and it can easily be a pool that contains foreign asset (like EUROC), which means that the protocol can access to forex feeds.

Let's say EUR/USD is the pool in feedConfigs[token], the feed used would be EUR/USD price feed with a market hour of forex.
But we notice that, it's possible to take a loan or liquidate a loan every day of the week (Saturday included) and these functionalities query the EUR/USD feed for the exchange rate.

In other words, the protocol is clearly accessing forex markets price outside the forex market hours.

Impact

The protocol is reading Forex feeds outside the recommended market hours and there's no telling what the deviation might be between real world price and the on-chain price of the pair (pool tokens) during such hours. The impact depends on the usage of the price info.
When it is used as part of the collateral for lenders:

Users can get better borrows if the price is above the actual price
Users can avoid liquidations if the price is under the actual price

Tools Used

Manual review

Recommended Mitigation Steps

Query/use Forex price feed only during the recommended forex market hours. Or consider using another oracle that doesn't have this limiitation during off-market hours.