search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

J4de - `UniswapV3AdapterOracle.sol#setStablePools` function token check is incomplete #70

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

J4de

medium

UniswapV3AdapterOracle.sol#setStablePools function token check is incomplete

Summary

UniswapV3AdapterOracle.sol#setStablePools function token check is incomplete

Vulnerability Detail

File: oracle/UniswapV3AdapterOracle.sol
 40     function setStablePools(
 41         address[] calldata tokens,
 42         address[] calldata pools
 43     ) external onlyOwner {
 44         if (tokens.length != pools.length) revert Errors.INPUT_ARRAY_MISMATCH();
 45         for (uint256 idx = 0; idx < tokens.length; idx++) {
 46             if (tokens[idx] == address(0) || pools[idx] == address(0))
 47                 revert Errors.ZERO_ADDRESS();
 48             if (
 49 >>              tokens[idx] != IUniswapV3Pool(pools[idx]).token0() &&
 50                 tokens[idx] != IUniswapV3Pool(pools[idx]).token1()
 51             ) revert Errors.NO_STABLEPOOL(pools[idx]);
 52             stablePools[tokens[idx]] = pools[idx];
 53             emit SetPoolStable(tokens[idx], pools[idx]);
 54         }
 55     }

setStablePools function will check whether the pool and token are consistent. Line 49 should use || instead of &&, because as long as one is wrong, it is illegal.

Impact

May lead to use of the wrong pools.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/UniswapV3AdapterOracle.sol#L48-L49

Tool used

Manual Review

Recommendation

    function setStablePools(
        address[] calldata tokens,
        address[] calldata pools
    ) external onlyOwner {
        if (tokens.length != pools.length) revert Errors.INPUT_ARRAY_MISMATCH();
        for (uint256 idx = 0; idx < tokens.length; idx++) {
            if (tokens[idx] == address(0) || pools[idx] == address(0))
                revert Errors.ZERO_ADDRESS();
            if (
-               tokens[idx] != IUniswapV3Pool(pools[idx]).token0() &&
+               tokens[idx] != IUniswapV3Pool(pools[idx]).token0() ||
                tokens[idx] != IUniswapV3Pool(pools[idx]).token1()
            ) revert Errors.NO_STABLEPOOL(pools[idx]);
            stablePools[tokens[idx]] = pools[idx];
            emit SetPoolStable(tokens[idx], pools[idx]);
        }
    }