Open hats-bug-reporter[bot] opened 3 months ago
@PlamenTSV why is this an invalid issue?
Since we do not have control over possible updates in the Optimistic Oracle regarding whitelists and bonds during the lifetime of the contract, we cannot guarantee that the currency will always be accepted. In case bond or currency become invalid, it is easy to update to a different one. As long as the situation results only in the KPIRewarder not being able to push assertions and no other vulnerabilites, this should be invalid. There is a point to be made that checking for minimum bond and not whitelist is inconsistent and can lead to the transaction reverting with an incorrect error code. That would only count as informational though.
With this #143 is invalid too
Github username: @erictee2802 Twitter username: 0xEricTee Submission hash (on-chain): 0xc5e976c3f9603471cb4892092bc0106382787b46e2556c26695a46f8535c43e7 Severity: medium
Description: Description\
While setting
defaultCurrency
inOptimisticOracleIntegrator.sol ::_setDefaultCurrencyAndBond
:The function is lacking the whitelist status check for
defaultCurrency
token.If an unwhitelisted
defaultCurrency
is configured, assertions will not be able to post properly, resulting in denial of service situation.Attack Scenario\
When unwhitelisted
defaultCurrency
is configured, assertions will not be able to post properly, resulting in denial of service situation.Attachments
NA
Refer above.
defaultCurrency
is an whitelisted currency inOptimisticOracleV3
inside the functionOptimisticOracleIntegrator.sol ::_setDefaultCurrencyAndBond
first before setting it to the storage.