sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

0xGoodess - There is no liveness check on the getLatestPrice from oracle when used on Unitas #54

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xGoodess

medium

There is no liveness check on the getLatestPrice from oracle when used on Unitas

Summary

There is no liveness check on the getLatestPrice from oracle when used on Unitas

Vulnerability Detail

XOracle provides price feed of assets for Unitas to use during swap. the amount in/out would be calculated based on the latestPrice from XOracle. However, there is no liveness check on the return value from the latestPrice. If the price feed is outdated or the chain just return online after a long time offline, the swap would be done with the outdated price

    function _getSwapResult(
        ITokenManager.PairConfig memory pair,
        address tokenIn,
        address tokenOut,
        AmountType amountType,
        uint256 amount
    )
        internal
        view
        returns (uint256 amountIn, uint256 amountOut, IERC20Token feeToken, uint256 fee, uint24 feeNumerator, uint256 price)
    {
        _checkAmountPositive(amount);

        // Checks the tokens of the pair config are valid
        bool isBuy = tokenOut == pair.baseToken;
        _require(
            (isBuy && tokenIn == pair.quoteToken) ||
                (tokenOut == pair.quoteToken && tokenIn == pair.baseToken),
            Errors.PAIR_INVALID
        );

        address priceQuoteToken = _getPriceQuoteToken(tokenIn, tokenOut);
        price = oracle.getLatestPrice(priceQuoteToken);

Impact

outdated price feed would still be used in Unitas during swap

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L417-L440

Tool used

Manual Review

Recommendation

add a liveness check to make sure the price is within certain threshold.

Duplicate of #150