sherlock-audit / 2023-09-perennial-judging

0 stars 0 forks source link

0xVinylDavyl - Unexpected behavior from the _validateAndGetPrice function's failure to validate the oracleVersion and updateData inputs #19

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

0xVinylDavyl

medium

Unexpected behavior from the _validateAndGetPrice function's failure to validate the oracleVersion and updateData inputs

Summary

The "Lack of Input Validation in _validateAndGetPrice Function" highlights a vulnerability in the contract's _validateAndGetPrice function, which lacks input validation for the oracleVersion and updateData parameters. Failing to validate inputs can lead to unexpected behavior or vulnerabilities.

Vulnerability Detail

The vulnerability arises from the _validateAndGetPrice function's failure to validate the oracleVersion and updateData inputs. Without proper validation, these inputs can be manipulated or provided with malicious data, potentially leading to errors or vulnerabilities in the contract.

Impact

The lack of input validation in the _validateAndGetPrice function can have various negative impacts, including:

Code Snippet

function _validateAndGetPrice(uint256 oracleVersion, bytes calldata updateData) private returns (PythStructs.Price memory price) {
    bytes[] memory updateDataList = new bytes[](1);
    updateDataList[0] = updateData;
    bytes32[] memory idList = new bytes32[](1);
    idList[0] = id;

    // ...
}

https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L209

Tool used

Manual Review

Recommendation

To mitigate the lack of input validation in the _validateAndGetPrice function, follow these recommended steps:

  1. Validate oracleVersion: Implement a check to ensure that oracleVersion is within a valid range and adheres to the contract's expected format. You can use require statements to enforce these checks.

    require(oracleVersion > 0, "Invalid oracle version");
    require(oracleVersion <= current(), "Future oracle versions not supported");
    // Add additional validation as needed
  2. Validate updateData: Implement checks to validate the format and content of updateData. Depending on the expected format and content, you may need to perform more specific validation.

    require(updateData.length > 0, "Empty update data");
    // Add additional validation for updateData as needed

By implementing these recommendations and adding input validation checks for both oracleVersion and updateData, you can enhance the security and reliability of the contract. Proper input validation helps prevent unexpected behavior and vulnerabilities resulting from invalid or malicious inputs.

sherlock-admin commented 1 year ago

4 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid because this is private function and all checks are done upstream in calling functions

n33k commented:

invalid, ai generated groundless report

darkart commented:

The same as 14

polarzero commented:

Invalid. The lack of user input validation could not apparently result in a major malfunction or significant loss of funds.