Incomplete Implementation in RenzoOracleStorageV1 Contract

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracleStorage.sol#L10

Vulnerability details

Impact

The absence of implementation for fetching price data from Chainlink oracles and managing roles through the IRoleManager interface in the RenzoOracleStorageV1 contract could lead to significant security vulnerabilities and operational inefficiencies. Without these implementations, the contract cannot effectively interact with Chainlink oracles to fetch accurate and timely price data, nor can it securely manage roles and permissions, potentially exposing the contract to unauthorized access and manipulation.

Proof of Concept

The RenzoOracleStorageV1 contract, as provided, is an abstract contract that sets up the necessary structure for interacting with Chainlink oracles and managing roles. However, it lacks the implementation details for these functionalities, which are crucial for the contract's operation and security.

The issue was identified in the RenzoOracleStorageV1 contract, specifically at the following link: RenzoOracleStorage.sol.

// SPDX-License-Identifier: BUSL-1.1
pragma solidity 0.8.19;

import "../Permissions/IRoleManager.sol";
import "@chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol";
import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

abstract contract RenzoOracleStorageV1 {
    /// @dev reference to the RoleManager contract
@>    IRoleManager public roleManager;

    /// @dev The mapping of supported token addresses to their respective Chainlink oracle address
    mapping(IERC20 => AggregatorV3Interface) public tokenOracleLookup;
}

The contract is abstract and does not contain any implemented functions for interacting with Chainlink oracles or managing roles. This means that any contract inheriting from RenzoOracleStorageV1 must provide these implementations, which could be overlooked or incorrectly implemented, leading to the aforementioned vulnerabilities.

Tools Used

Manual VScode

Recommended Mitigation Steps with Fix Code

To address this issue, it is recommended to provide concrete implementations for interacting with Chainlink oracles and managing roles in the contracts that inherit from RenzoOracleStorageV1. Below is an example of how such an implementation might look in a derived contract:

// SPDX-License-Identifier: BUSL-1.1
pragma solidity 0.8.19;

import "../Permissions/IRoleManager.sol";
import "@chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol";
import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

contract MyOracleContract is RenzoOracleStorageV1 {
    constructor(IRoleManager _roleManager) {
        roleManager = _roleManager;
    }

    // Example function to fetch price for a token
    function getPriceForToken(IERC20 token) public view returns (int) {
        require(tokenOracleLookup[token]!= AggregatorV3Interface(address(0)), "Token not supported");

        AggregatorV3Interface oracle = tokenOracleLookup[token];
        (, int price,,,) = oracle.latestRoundData();
        return price;
    }
}

This example demonstrates how to implement a function getPriceForToken that fetches the latest price for a given ERC20 token from its associated Chainlink oracle. This is just one example of the necessary implementations that should be provided in contracts inheriting from RenzoOracleStorageV1 to ensure the contract's functionality and security.

Assessed type

Other

[raymondfam]

@howlbot reject

[raymondfam]

Inadequate elaboration and proof. Implementation is well in place.