tvdung94 - Oracle fee might be stuck in oracle factory contract

[sherlock-admin]

tvdung94

medium

Oracle fee might be stuck in oracle factory contract

Summary

Oracle fee might be stuck in oracle factory contract.

Vulnerability Detail

When OracleFactory#fund() is called, it will trigger market#claimFee(), which will transfer oracle fee back to the oracle factory contract. The problem is that if incentive token is different from oracle fee token, there is no way for the owner to withdraw fee money.

Even when incentive and oracle fee are same token and can be withdrawn by OracleFactory#claim(), withdrawing will still be quite cumbersome. Oracle factory owner will have to register their own factory and either:

• Withdraw small amount (maxClaim limit) multiple times, paying more gas fee or
• set maxClaim to total amount of token in contract and withdraw only one time. However, if any other factory calls claim(maxClaim) before the owner, funds will be lost.

Impact

Token stuck in contract and/or potentially minor loss of funds for the owner.

Code Snippet

https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/OracleFactory.sol#L93-L96

Tool used

Manual Review

Recommendation

Implement withdraw function or transfer token directly from market to oracle factory's owner

[sherlock-admin]

3 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, deployer's error if incentive is not set to market's fee token

darkart commented:

That is intended for maintanance if someone put the wrong token and it get stuck it's user error\

polarzero commented:

Invalid. It does not seem to be able to incur a significant loss of funds for the users.

[syjcnss]

Confirmed with protocol that this is working as intended.