XO-getLatestPrice function allows attacker to get price of non-existent asset.

Summary

The getLatestPrice function does not check to make sure that the asset is a valid ERC20 token. This means that an attacker could call this function with an address that does not refer to a valid ERC20 token, and the function would succeed, even though the asset is not a valid ERC20 token.

Vulnerability Detail

function getLatestPrice(address asset) external view returns (uint256 price);

// Struct of main contract XOracle
struct Price{
    address asset;
    uint64 timestamp;
    uint64 prev_timestamp;
    uint256 price;
    uint256 prev_price;
}

struct NewPrice{
    address asset;
    uint64 timestamp;
    uint256 price;
}
}

There is a vulnerability in the interface IOracle, in the getLatestPrice function does not check to make sure that the asset is a valid ERC20 token. This means that an attacker could call this function with an address that does not refer to a valid ERC20 token, and the function would succeed, even though the asset is not a valid ERC20 token.
Impact
The vulnerability can be exploited by an attacker who calls the getLatestPrice function with an address that does not refer to a valid ERC20 token.
This vulnerability allows an attacker to get the price of an asset that does not exist.
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/interfaces/IOracle.sol#L10C1-L26C2
Tool used

Manual Review

Recommendation

adding a check to the getLatestPrice function to make sure that the asset is a validERC20 token.

sherlock-audit / 2023-04-unitasprotocol-judging

XDZIBEC - XO-getLatestPrice function allows attacker to get price of non-existent asset. #78

XO-getLatestPrice function allows attacker to get price of non-existent asset.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation