Open hats-bug-reporter[bot] opened 1 year ago
Hello, Thanks a lot for your attention.
Pools you are showing as example are Stable Pool
, it's normal that they don't have any price as the other.
We are not targetting stable pools in our Oracle
We have so to consider this issue as Invalid
Github username: @JeffCX Submission hash (on-chain): 0x1eb12174f6bf021ee077598aab939ae3beddf917c9ef2982468a3a7ed349eb12 Severity: medium
Description: Description\
Curve oracle does not work for all curve pools
Attack Scenario\
In the current implementation, the oracle use the curve oracle last_prices directedly
However, for old version of curve V1, there is no such view function exposed called last_price
https://resources.curve.fi/factory-pools/understanding-oracles/#v1-pools
In fact, if we look at a few V1 curve pool that has a large amount of liquidity, there is no last_price view function exposed
https://curve.readthedocs.io/ref-addresses.html
for example
https://etherscan.io/address/0xbebc44782c7db0a1a60cb6fe97d0b483032ff1c7#readContract
or
https://etherscan.io/address/0xF9440930043eb3997fc70e1339dBb11F341de7A8#readContract
there is no last_price function exposed
Attachments
if the underlying curve pool does not support the last_price function called, the oracle leads to directly revert
Consider Use Uniswap V3 TWAP oracle instead