Open c4-bot-4 opened 1 month ago
Hi Judge, this question was not sent to finding. It is possible for PriceFeed to use incorrect prices to influence price updates, but it does not mean that PriceFeed must be trustworthy. If it were credible, there would be no need to vote.
Hey @Scorpiondeng, thanks for your feedback! The price feed roles are partially trusted and the behavior outlined does not result in any significant impact as the administrator can re-assign roles.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L157-L158
Vulnerability details
Impact
Token prices may be maliciously delayed, resulting in erroneous prices.
Proof of Concept
In the contract, the price of the token is determined based on proposals and votes initiated by 5 PriceFeeds. And only one price proposal can exist at the same time. Therefore, if there is a PriceFeed that continuously initiates proposals with wrong prices, proposals with correct prices cannot be initiated, and price updates will be delayed.
Tools Used
manual
Recommended Mitigation Steps
It is recommended to obtain the price of chainlink. If the price is not updated after a certain period of time, the effective price of chainlink shall prevail.
Assessed type
Oracle