search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Centralisation risk: Owner Able to set malicious Oracle Address #42

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @goheesheng Submission hash (on-chain): 0x446cb46b124596ec6673fcbed77a2bd521e243ed528d34555d24b30885cfcb7e Severity: high

Description: Description\ The owner can set any address as a validator

Attack Scenario\ If the owner wallet/private key is hacked or stolen, the owner is able to set to malicious oracle address to manipulate token prices.

Attachments

  1. Proof of Concept (PoC) File

    function setTokenOracleParams(
    IERC20Metadata erc20Address,
    IOracleStruct.OracleParams memory tokenOracleParams
) external onlyOwner {
    oracleParametersPerERC20[erc20Address] = tokenOracleParams;
}

    https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/Oracles/CvgOracle.sol#L323C1-L328C6

  2. Mitigation

Without significant redesign, it is not possible to avoid the admin being able to rug-pull the protocol.

As a result, the recommendation is to set all admin functions behind either a timelocked DAO or at least a timelocked multisig contract.

0xR3vert commented 1 year ago

Hello, Thanks a lot for your attention. We don't consider stolen/lost private keys as a valid issue, also the contracts will be owned by an multisig to mitigate this risk. In conclusion we have so to consider this issue as invalid.