The protocol allows calculations using stale oracles.

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x0e73900be4d4c81eec54eabb7d03c9d6a4128d5de03a5aaa6f03c4f012681a70 Severity: medium

Description:

Summary

The protocol interacts with tokens that use oracles, there are multiple checks enforced whenever checking the oracle rates, such as the expiration, the validity, etc.

However the protocol allows for stale oracles to be used.

For example inside swap_exact_out where a user is able to perform a swap with a stale oracle:

            self.update_rates();
            let rates = self.get_scaled_rates(&self.pool.token_rates)?;

Since the flow of the rate checker will not revert if the price is stale.

This vulnerability has also been warned for in the Aleph Zero Documentation

// Be aware the risk of oracle manipulation attack.

As it stands now, there are no safety measurements implemented to prevent the use of stale oracles.

Impact

This could enable users to profit from a token with multiple oracles if the protocol relies on a stale oracle while the others remain up-to-date, thereby creating an opportunity for gain.

Recommendation

Address the use of stale oracles; for instance, revert the rate checker function if the new rate price equals the old rate price. Currently, it does not revert but simply returns false.

[JanKuczma]

Thank you for your submission.

External contracts malfunctioning/not working as intended (such as returning a stale rate) is out of scope as stated in the scope section in the audit description.