The contract does not check the timestamp of the oracle data, and cannot decide whether the oracle data can be trusted.
Vulnerability Detail
The contract uses an oracle through the XOracle wrapper to report the prices of the various tokens. This oracle is invoked when calculating the swap result in the following lines.
However, there are no checks for the staleness of the data. Thus if the oracle system breaks, the contract will keep working indefinitely with the wrong data. The oracle contract even has a way to store timestamps, and when the function getPrice is called, it returns the relevant timestamps. The checkPrice function however never checks these timestamps and thus cannot pause itself when encountering outdated values.
Follow Chainlink guidelines for proper oracle usage. For L2s, check if sequencer is online. For other chains, check if the timestamp of the latest price is within a threshold.
carrotsmuggler
medium
Insufficient checks on oracle price
Summary
The contract does not check the timestamp of the oracle data, and cannot decide whether the oracle data can be trusted.
Vulnerability Detail
The contract uses an oracle through the XOracle wrapper to report the prices of the various tokens. This oracle is invoked when calculating the swap result in the following lines.
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L438-L440
The function
checkPriceis responsible for cleaning the data and is implemented as shown.https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L595-L600
However, there are no checks for the staleness of the data. Thus if the oracle system breaks, the contract will keep working indefinitely with the wrong data. The oracle contract even has a way to store timestamps, and when the function
getPriceis called, it returns the relevant timestamps. ThecheckPricefunction however never checks these timestamps and thus cannot pause itself when encountering outdated values.Impact
Stale oracle prices
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L595-L600
Tool used
Manual Review
Recommendation
Follow Chainlink guidelines for proper oracle usage. For L2s, check if sequencer is online. For other chains, check if the timestamp of the latest price is within a threshold.
Duplicate of #150