The project enables usage of stable prices for oracles. This poses a risk if the price turns out to be not so stable after all.
Vulnerability Detail
The function Oracle.getUnderlyingPrice enables returning a stable price as oracle price:
function getUnderlyingPrice(address underlying)
virtual
external
view
returns(int256 answer)
{
if (stablePrice[underlying] != 0) {
return stablePrice[underlying];
}
This can and has caused issues in the past (for reference). Even though the price is not hardcoded here, a change is only possible through governance, which might not be flexible and fast enough to adjust to changing environments
Impact
Price mismatch between oracle and market can cause bad behavior (e.g. reporting enough margin although there is not)
minhtrng
medium
Stable prices pose risk in times of volatility
Summary
The project enables usage of stable prices for oracles. This poses a risk if the price turns out to be not so stable after all.
Vulnerability Detail
The function
Oracle.getUnderlyingPrice
enables returning a stable price as oracle price:This can and has caused issues in the past (for reference). Even though the price is not hardcoded here, a change is only possible through governance, which might not be flexible and fast enough to adjust to changing environments
Impact
Price mismatch between oracle and market can cause bad behavior (e.g. reporting enough margin although there is not)
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/1f9a5ed0ca8f6004bbb7b099ecbb8ae796557849/hubble-protocol/contracts/Oracle.sol#L30-L32
Tool used
Manual Review
Recommendation
Remove the feature of stable prices
Duplicate of #69