XDZIBEC - XO-`_payoffFromContract()` function could allow for invalid `Fixed18` values to be returned

[sherlock-admin]

XDZIBEC

high

XO-_payoffFromContract() function could allow for invalid Fixed18 values to be returned

Summary

• The vulnerability is in the _payoffFromContract() function, the payoff function on the underlying contract returns a valid Fixed18 value. This means that an attacker could create a contract that implements the IContractPayoffProvider interface and returns an invalid Fixed18 value from the payoff function.

  Vulnerability Detail

  */
  function _payoffFromContract(
  PayoffDefinition memory self,
  Fixed18 price
  ) private view returns (Fixed18) {
  bytes memory ret = address(_providerContract(self)).functionStaticCall(
    abi.encodeCall(IContractPayoffProvider.payoff, price)
  );
  return Fixed18.wrap(abi.decode(ret, (int256)));
  }
  }
  /**

• The vulnerability exist in the _payoffFromContract() function. This function is used to get the payoff from a contract that implements the IContractPayoffProvider interface. The vulnerability is that the function does not check to see if the payoff function on the underlying contract returns a valid Fixed18 value. This means that an attacker could create a contract that implements the IContractPayoffProvider interface and returns an invalid Fixed18 value from the payoff function. If the attacker is able to do this, then the _payoffFromContract() function will return an invalid Fixed18 value, which could lead to unintended consequences.

  Impact

• an attacker can exploit the vulnerability and cause the contract to lose funds or to give the attacker control of the contract.

  Code Snippet

• https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/interfaces/types/PayoffDefinition.sol#L90C3-L99C2

  Tool used

Manual Review

Recommendation

• adding a check to the _payoffFromContract() function to see if the payoff function on the underlying contract returns a valid Fixed18 value.