Unchecked External Calls / Oracles

[Waltermelon-lang]

Ensure that calls to external contracts handle failures properly.

To check for unchecked external calls, we need to look for instances where the contract makes calls to external contracts without handling potential failures. This typically involves using low-level calls like call, delegatecall, or staticcall without checking the return value.

• Call vs. Send vs. Transfer: Using call improperly may lead to fallback reentrancy.
• Dependence on External Oracles: Vulnerable to price manipulation or data corruption.
• Delegatecall Exploits: Calling external contracts with delegatecall can execute malicious code.

[Waltermelon-lang]

External calls like IERC20.transferFrom and IERC20.approve assume success. Not all ERC-20 tokens return true/false; some revert or behave unexpectedly. Mitigation: Use OpenZeppelin’s SafeERC20 library for all token interactions.

Oracle Manipulation:

The requestAssetsData function fetches oracle data without validation. A compromised oracle can provide inaccurate data. Mitigation: Use multiple oracles and perform sanity checks on values. Price Conversion Logic:

The priceInWei function assumes correct oracle data and does not validate priceFeedByTokenAddress. Mitigation: Add validation checks for price feed addresses and fetched prices. Mainnet/Non-Mainnet Behavior Divergence:

The priceInWei function changes behavior based on isMainnet, potentially leading to inconsistencies. Mitigation: Ensure both mainnet and non-mainnet logic are thoroughly tested.