Description:Description\
The setCurrentPrice and setPreviousPrice functions allow the contract owner to manually set arbitrary prices without any constraints based on the maxPriceIncrease limit. This design effectively bypasses the typical maxPriceIncrease limit enforced for the oracle, granting the owner unrestricted control to adjust the price directly to any value, regardless of its magnitude.
Impact\
Unrestricted direct price adjustments by the owner pose a high risk of price manipulation, which could lead to significant financial losses for users or stakeholders who depend on stable, controlled pricing. If the owner sets an unusually high or low price, it could destabilize systems relying on this oracle for price data, potentially triggering unintended liquidations, mispriced transactions, or imbalanced token conversions.
Recommendation
Restrict setCurrentPrice and setPreviousPrice for Emergency Use Only:
Limit the use of these functions to emergency situations only, with clear protocols for when and how they can be invoked.
Enforce maxPriceIncrease Bounds on Manual Price Adjustments:
Add checks within setCurrentPrice and setPreviousPrice to ensure that any manual price change falls within the allowed maxPriceIncrease bounds. This would enforce similar constraints on the owner as are applied to oracle-driven updates.
Consider Multi-Signature or Governance Oversight:
For further security, consider requiring multi-signature authorization or governance oversight to approve significant price adjustments. This added layer can help ensure that direct price changes undergo adequate review and are not subject to misuse.
AndreiMVP
commented
2 weeks ago
Github username: -- Twitter username: 4n0n_x Submission hash (on-chain): 0xe89316f61cbe0531bea147aff5576e14a7a75dc5387913aa8dd12f86ca3fcb0f Severity: high
Description: Description\ The setCurrentPrice and setPreviousPrice functions allow the contract owner to manually set arbitrary prices without any constraints based on the maxPriceIncrease limit. This design effectively bypasses the typical maxPriceIncrease limit enforced for the oracle, granting the owner unrestricted control to adjust the price directly to any value, regardless of its magnitude.
Impact\ Unrestricted direct price adjustments by the owner pose a high risk of price manipulation, which could lead to significant financial losses for users or stakeholders who depend on stable, controlled pricing. If the owner sets an unusually high or low price, it could destabilize systems relying on this oracle for price data, potentially triggering unintended liquidations, mispriced transactions, or imbalanced token conversions.
Recommendation
Restrict setCurrentPrice and setPreviousPrice for Emergency Use Only: Limit the use of these functions to emergency situations only, with clear protocols for when and how they can be invoked.
Enforce maxPriceIncrease Bounds on Manual Price Adjustments: Add checks within setCurrentPrice and setPreviousPrice to ensure that any manual price change falls within the allowed maxPriceIncrease bounds. This would enforce similar constraints on the owner as are applied to oracle-driven updates.
Consider Multi-Signature or Governance Oversight: For further security, consider requiring multi-signature authorization or governance oversight to approve significant price adjustments. This added layer can help ensure that direct price changes undergo adequate review and are not subject to misuse.