Closed sherlock-admin2 closed 1 year ago
4 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because this is private function and all checks are done upstream in calling functions
n33k commented:
invalid, ai generated groundless report
darkart commented:
The same as 14
polarzero commented:
Invalid. The lack of user input validation could not apparently result in a major malfunction or significant loss of funds.
0xVinylDavyl
medium
Unexpected behavior from the _validateAndGetPrice function's failure to validate the oracleVersion and updateData inputs
Summary
The "Lack of Input Validation in _validateAndGetPrice Function" highlights a vulnerability in the contract's
_validateAndGetPrice
function, which lacks input validation for theoracleVersion
andupdateData
parameters. Failing to validate inputs can lead to unexpected behavior or vulnerabilities.Vulnerability Detail
The vulnerability arises from the
_validateAndGetPrice
function's failure to validate theoracleVersion
andupdateData
inputs. Without proper validation, these inputs can be manipulated or provided with malicious data, potentially leading to errors or vulnerabilities in the contract.Impact
The lack of input validation in the
_validateAndGetPrice
function can have various negative impacts, including:Code Snippet
https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L209
Tool used
Manual Review
Recommendation
To mitigate the lack of input validation in the
_validateAndGetPrice
function, follow these recommended steps:Validate
oracleVersion
: Implement a check to ensure thatoracleVersion
is within a valid range and adheres to the contract's expected format. You can use require statements to enforce these checks.Validate
updateData
: Implement checks to validate the format and content ofupdateData
. Depending on the expected format and content, you may need to perform more specific validation.By implementing these recommendations and adding input validation checks for both
oracleVersion
andupdateData
, you can enhance the security and reliability of the contract. Proper input validation helps prevent unexpected behavior and vulnerabilities resulting from invalid or malicious inputs.