Closed sherlock-admin closed 1 year ago
0xhacksmithh
high
oracleParams_._parseIntoOracle();
OracleImpl oracle = params_.oracleParams._parseIntoOracle(); gives incorrect Oracle.
OracleImpl oracle = params_.oracleParams._parseIntoOracle();
Basically OracleParams.som contract have a function _parseIntoOracle() which take argument of type OracleParams whenever it called.
OracleParams.som
_parseIntoOracle()
OracleParams
function _parseIntoOracle(OracleParams calldata oracleParams_) returns (OracleImpl) { // @audit no visibility if (address(oracleParams_.oracle)._isNotEmpty()) { return oracleParams_.oracle; } else { // if oracle not provided, create one with provided params CreateOracleParams calldata createOracleParams = oracleParams_.createOracleParams; return createOracleParams.factory.createOracle(createOracleParams.data); } }
But when it called from DiversifierFactory.sol
DiversifierFactory.sol
oracle = oracleParams_._parseIntoOracle();
And from SwapperFactory.sol
SwapperFactory.sol
function createSwapper(CreateSwapperParams calldata params_) external returns (SwapperImpl swapper) { OracleImpl oracle = params_.oracleParams._parseIntoOracle();
There is absence of Argument parameter in those function call. So Thats may cause Invalid Oracle Output.
Out put Oracle address will not correct.
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperFactory.sol#L41
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-diversifier/src/DiversifierFactory.sol#L139
Manual Review
Should pass required Argument parameter to _parseIntoOracle() whenever calling it.
0xhacksmithh
high
Absence Of Input Argument For
oracleParams_._parseIntoOracle();
FunctionSummary
OracleImpl oracle = params_.oracleParams._parseIntoOracle();
gives incorrect Oracle.Vulnerability Detail
Basically
OracleParams.som
contract have a function_parseIntoOracle()
which take argument of typeOracleParams
whenever it called.But when it called from
DiversifierFactory.sol
And from
SwapperFactory.sol
There is absence of Argument parameter in those function call. So Thats may cause Invalid Oracle Output.
Impact
Out put Oracle address will not correct.
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperFactory.sol#L41
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-diversifier/src/DiversifierFactory.sol#L139
Tool used
Manual Review
Recommendation
Should pass required Argument parameter to
_parseIntoOracle()
whenever calling it.