Open c4-bot-8 opened 2 months ago
Hello judge, the bot did not push this issue to finding. It is possible that the vote failed due to unexpected delays.
Hey @Scorpiondeng, I appreciate your due diligence! The price feed roles are partially trusted and the behavior outlined does not result in any significant impact as the administrator can re-assign roles.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L202-L203
Vulnerability details
Impact
Prices may expire and incorrect prices may appear.
Proof of Concept
According to the current price logic, 5 nodes vote, and 3 PriceFeeds need to agree before the price will be updated correctly. Imagine a situation where the price needs to be updated when the price drops, if there are 2 votes in favor and 2 votes against. There is also a PriceFeed that has been delayed in voting due to network problems and other reasons. At this time, there will be a delay in price updates, and users may make profits through harvest. The protocol cannot prevent this loss in time.
Tools Used
manual
Recommended Mitigation Steps
It is recommended to prepare backup measures for price updates. Or add more PriceFeeds.
Assessed type
Oracle