Protocol can face consequences of No Oracle Usage: Frontrunning Attacks, USDT Depeg, and Center Point of Failure Vulnerabilities
Summary
The absence of an Oracle in the protocol can give rise to significant issues such as Frontrunning Attacks, USDT Depeg, and Center Point of Failure Vulnerabilities.
Vulnerability Detail
The lack of Oracle implementation can give rise to 3 issues:
USDT Depeg:-
As the Assets value is set manually, the initial value of USDT will be fixed at 1 Dollar. However, if USDT were to experience a de-pegging event similar to USDC, it would create an opportunity for users to acquire additional USD1 tokens.
It's true for other assets as well.
XOracle.putPrice() Can Fall Victim to Front-running Attacks: Attackers Can Make Quick Profits, while Users Can Avoid Loss and even Turn the Potential Loss into Profits:-
We have extensively discussed the impact of this vulnerability in a separate submission. I would recommend conducting a search to find more information on the topic.
Center Point of Failure:-
FEEDER_ROLE is an EOA as mentioned in the docs' role management section:
The implementation of an oracle can effectively address and mitigate all these issues. It is highly recommended to incorporate an oracle, especially for determining the price of USDT, in this phase.
DevABDee
medium
Protocol can face consequences of No Oracle Usage: Frontrunning Attacks, USDT Depeg, and Center Point of Failure Vulnerabilities
Summary
The absence of an Oracle in the protocol can give rise to significant issues such as Frontrunning Attacks, USDT Depeg, and Center Point of Failure Vulnerabilities.
Vulnerability Detail
The lack of Oracle implementation can give rise to 3 issues:
USDT Depeg:- As the Assets value is set manually, the initial value of USDT will be fixed at 1 Dollar. However, if USDT were to experience a de-pegging event similar to USDC, it would create an opportunity for users to acquire additional USD1 tokens. It's true for other assets as well.
XOracle.putPrice()Can Fall Victim to Front-running Attacks: Attackers Can Make Quick Profits, while Users Can Avoid Loss and even Turn the Potential Loss into Profits:- We have extensively discussed the impact of this vulnerability in a separate submission. I would recommend conducting a search to find more information on the topic.Center Point of Failure:- FEEDER_ROLE is an EOA as mentioned in the docs' role management section:
This implies that if the FEEDER_ROLE loses its private key or if it is stolen, it could potentially lead to disastrous consequences.
Impact
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/d5328421bea80e3b0fd4595e4eb6b732a40e421e/Unitas-Protocol/src/XOracle.sol#L26 https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/d5328421bea80e3b0fd4595e4eb6b732a40e421e/Unitas-Protocol/src/XOracle.sol#L34
Tool used
Shaheen's Vision
Recommendation
The implementation of an oracle can effectively address and mitigate all these issues. It is highly recommended to incorporate an oracle, especially for determining the price of USDT, in this phase.
Duplicate of #67