PriceFeed can continually launch the wrong proposals, preventing correct proposals from being launched

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L157-L158

Vulnerability details

Impact

Token prices may be maliciously delayed, resulting in erroneous prices.

Proof of Concept

In the contract, the price of the token is determined based on proposals and votes initiated by 5 PriceFeeds. And only one price proposal can exist at the same time. Therefore, if there is a PriceFeed that continuously initiates proposals with wrong prices, proposals with correct prices cannot be initiated, and price updates will be delayed.

Tools Used

manual

Recommended Mitigation Steps

It is recommended to obtain the price of chainlink. If the price is not updated after a certain period of time, the effective price of chainlink shall prevail.

Assessed type

Oracle

[Scorpiondeng]

Hi Judge, this question was not sent to finding. It is possible for PriceFeed to use incorrect prices to influence price updates, but it does not mean that PriceFeed must be trustworthy. If it were credible, there would be no need to vote.

[alex-ppg]

Hey @Scorpiondeng, thanks for your feedback! The price feed roles are partially trusted and the behavior outlined does not result in any significant impact as the administrator can re-assign roles.