Open sherlock-admin opened 1 year ago
bin2chen
medium
oracle.update() wrong privilege control lead to OracleFactory.update() unable to add oracleProvider
oracle.update()
OracleFactory.update()
oracleProvider
in OracleFactory.update() will call oracle.update()
contract OracleFactory is IOracleFactory, Factory { ... function update(bytes32 id, IOracleProviderFactory factory) external onlyOwner { if (!factories[factory]) revert OracleFactoryNotRegisteredError(); if (oracles[id] == IOracleProvider(address(0))) revert OracleFactoryNotCreatedError(); IOracleProvider oracleProvider = factory.oracles(id); if (oracleProvider == IOracleProvider(address(0))) revert OracleFactoryInvalidIdError(); IOracle oracle = IOracle(address(oracles[id])); @> oracle.update(oracleProvider); }
But oracle.update() permission is needed for OracleFactory.owner() and not OracleFactory itself.
OracleFactory.owner()
OracleFactory
@> function update(IOracleProvider newProvider) external onlyOwner { _updateCurrent(newProvider); _updateLatest(newProvider.latest()); } modifier onlyOwner { @> if (msg.sender != factory().owner()) revert InstanceNotOwnerError(msg.sender); _; }
This results in OracleFactory not being able to do update(). Suggest changing the limit of oracle.update() to factory().
update()
factory()
OracleFactory.update() unable to add IOracleProvider
IOracleProvider
https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/OracleFactory.sol#L81
Manual Review
contract Oracle is IOracle, Instance { ... - function update(IOracleProvider newProvider) external onlyOwner { + function update(IOracleProvider newProvider) external { + require(msg.sender == factory(),"invalid sender"); _updateCurrent(newProvider); _updateLatest(newProvider.latest()); }
1 comment(s) were left on this issue during the judging contest.
141345 commented:
m
Fixed: https://github.com/equilibria-xyz/perennial-v2/pull/81
From WatchPug,
Fixed.
bin2chen
medium
update() wrong privilege control
Summary
oracle.update()
wrong privilege control lead toOracleFactory.update()
unable to addoracleProvider
Vulnerability Detail
in
OracleFactory.update()
will calloracle.update()
But
oracle.update()
permission is needed forOracleFactory.owner()
and notOracleFactory
itself.This results in
OracleFactory
not being able to doupdate()
. Suggest changing the limit oforacle.update()
tofactory()
.Impact
OracleFactory.update()
unable to addIOracleProvider
Code Snippet
https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/OracleFactory.sol#L81
Tool used
Manual Review
Recommendation