search

hats-finance / Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd

Audit competition repository for Euro-Dollar (0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd)
https://hats.finance
MIT License
3 stars 2 forks source link

YieldOracle : the initial updateDelay gap is high #83

Open hats-bug-reporter[bot] opened 2 weeks ago

hats-bug-reporter[bot] commented 2 weeks ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xb80c696236f47d7368293ca46550eb08dce59516b3399b8cf12574f06650c8a7 Severity: medium

Description: Description

YieldOracle - oracle is allowed to update the price by calling the function updatePrice. For this, the updateDelay should be passed. initially, the updateDelay is set as 1 days which is huge.

    updateDelay = 1 days; <<<<<<<<<
    commitDelay = 1 hours;
    function updatePrice(uint256 price) external onlyOracle {
        // Enforce at least updateDelay between updates
        require(lastUpdate + updateDelay < block.timestamp, "Insufficient update delay");

        if (nextPrice != NO_PRICE) {
            previousPrice = currentPrice;
            currentPrice = nextPrice;

            emit PriceCommitted(currentPrice);
        }

        require(price - currentPrice <= maxPriceIncrease, "Price out of bounds");

        nextPrice = price;
        lastUpdate = block.timestamp;

        emit PriceUpdated(price);
    }

But, in practice, this value is huge when compared with current standard oracle system. For example, chainlink oracle feed updates price for every 1 hour. Refer trigger parameters in this link - https://data.chain.link/feeds/ethereum/mainnet/eth-usd

Impact

Though the price is updated at every one hour, oracle can update it after 1 days. in the mean time, the incorrect price value would be used to calculate the assets value.

Note : Admin can update the price value, but this practically it is not possible to update manully by checking the price values all the time. If we use oracle, it would be easy to deploy a bot and automate the price updates.

  1. Revised Code File (Optional)

Reduce the updateDelay which matches with oracle price update delay. Similarly, modifiy the commitDelay as well.

AndreiMVP commented 2 weeks ago

It's intended behavior. Value might be changed to a different one at some point, but that's something out of the scope of this competition

0xpinky commented 2 weeks ago

@AndreiMVP usage of incorrect price is dangerous imho. Is this mentioned anywhere before the contest? We could not find any information on this.

AndreiMVP commented 2 weeks ago

usage of incorrect price is dangerous imho. Is this mentioned anywhere before the contest? We could not find any information on this.

You mean delay? I don't understand why it's dangerous. It's set in the constructor for convenience. There is also the setUpdateDelay() function.

https://github.com/hats-finance/Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd/blob/c04ebafc3c6c48d612eb8df38ebd3e5b2ffa73a6/src/YieldOracle.sol#L136

0xpinky commented 2 weeks ago

Hey @AndreiMVP the function which is set by owner present in the codebase. But the initial deployment will have this issue. it's not clear how long it would be taken correct the issue. As it impacts on the short term price which could lead to serious for this project . We flagged this with medium. Let us know what you think