search

sherlock-audit / 2023-05-USSD-judging

9 stars 7 forks source link

peanuts - quoteSpecificPoolsWithTimePeriod() will not work because dependency is not integrated #83

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

peanuts

high

quoteSpecificPoolsWithTimePeriod() will not work because dependency is not integrated

Summary

quoteSpecificPoolsWithTimePeriod() uses Mean-Finance integration which is not installed in the protocol.

Vulnerability Detail

StaticOracle is a tool developed by Mean Finance under Uniswap's grant program that aims to help developers integrate easily and fast with Uniswap's v3 TWAP oracles. StaticOracle will allow developers to:

The package is missing from the dependency folder. Integrating the StaticOracle should look something like this in package.json:

  "dependencies": {
    "@mean-finance/uniswap-v3-oracle": "^1.0.3",
    "@openzeppelin/contracts": "^4.7.3",

Impact

quoteSpecificPoolsWithTimePeriod() will not work.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBGL.sol#L28 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L36

Tool used

Manual Review

Recommendation

Recommend following the instructions on Mean-Finance's github to integrate the functions of StaticOracle properly. Add the dependency with npm install @mean-finance/uniswap-v3-oracle

https://github.com/Mean-Finance/uniswap-v3-oracle/tree/9935263665c5a16f9c385e909bcc6edcc8d56970

cryptostaker2 commented 1 year ago

Escalate for 10 USDC

This is not a duplicate of #817 , which talks about implementing wrong oracle feed address.

This issue is about implementing StaticOracle itself. quoteSpecificPoolsWithTimePeriod() function will not work because the dependency is not integrated into the protocol.

The following is the current package.json of the protocol.

{
  "name": "USSD",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "@chainlink/contracts": "^0.6.1",
    "@openzeppelin/contracts": "^4.8.2",
    "@openzeppelin/contracts-upgradeable": "^4.8.2",
    "@openzeppelin/test-helpers": "^0.5.16",
    "@openzeppelin/truffle-upgrades": "^1.17.1",
    "@uniswap/smart-order-router": "^3.11.0",
    "@uniswap/swap-router-contracts": "^1.3.0",
    "@uniswap/v3-core": "uniswap/v3-core#0.8",
    "@uniswap/v3-periphery": "uniswap/v3-periphery#0.8",
    "chai": "^4.3.7",
    "ethers": "^5.7.2",
    "prettier": "^2.8.8",
    "prettier-plugin-solidity": "^1.1.3",
    "solhint": "^3.4.1",
    "solhint-plugin-prettier": "^0.0.5",
    "truffle": "^5.8.1",
    "truffle-assertions": "^0.9.2",
    "truffle-flattener": "^1.6.0"
  }
}

The file is lacking this specific package, which makes StaticOracle work.

 "@mean-finance/uniswap-v3-oracle": "^1.0.3",
sherlock-admin commented 1 year ago

Escalate for 10 USDC

This is not a duplicate of #817 , which talks about implementing wrong oracle feed address.

This issue is about implementing StaticOracle itself. quoteSpecificPoolsWithTimePeriod() function will not work because the dependency is not integrated into the protocol.

The following is the current package.json of the protocol.

{
  "name": "USSD",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "@chainlink/contracts": "^0.6.1",
    "@openzeppelin/contracts": "^4.8.2",
    "@openzeppelin/contracts-upgradeable": "^4.8.2",
    "@openzeppelin/test-helpers": "^0.5.16",
    "@openzeppelin/truffle-upgrades": "^1.17.1",
    "@uniswap/smart-order-router": "^3.11.0",
    "@uniswap/swap-router-contracts": "^1.3.0",
    "@uniswap/v3-core": "uniswap/v3-core#0.8",
    "@uniswap/v3-periphery": "uniswap/v3-periphery#0.8",
    "chai": "^4.3.7",
    "ethers": "^5.7.2",
    "prettier": "^2.8.8",
    "prettier-plugin-solidity": "^1.1.3",
    "solhint": "^3.4.1",
    "solhint-plugin-prettier": "^0.0.5",
    "truffle": "^5.8.1",
    "truffle-assertions": "^0.9.2",
    "truffle-flattener": "^1.6.0"
  }
}

The file is lacking this specific package, which makes StaticOracle work.

 "@mean-finance/uniswap-v3-oracle": "^1.0.3",

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

hrishibhat commented 1 year ago

Result: Invalid Unique Not a duplicate of #817 This is not a smart contract related issue. This is a dependency-related that needs to be handled by the protocol during deployment if there is an issue. Also it is already commented here: https://github.com/sherlock-audit/2023-05-USSD/blob/6d7a9fdfb1f1ed838632c25b6e1b01748d0bafda/ussd-contracts/contracts/oracles/UniswapV3StaticOracle.sol#L11

sherlock-admin commented 1 year ago

Escalations have been resolved successfully!

Escalation status: