When Secondary Offchain Oracle is Invalid, Primary Onchain Will Be Broken Too
Summary
When the secondary offchain oracle is inaccessible or the price is not valid, the primary oracle will also not be available.
Vulnerability Detail
The source code intends to use the price from the primary onchain oracle when the offchain price is invalid. This is evident from the logic within the _getPrice function.
alexzoid
medium
When Secondary Offchain Oracle is Invalid, Primary Onchain Will Be Broken Too
Summary
When the secondary offchain oracle is inaccessible or the price is not valid, the primary oracle will also not be available.
Vulnerability Detail
The source code intends to use the price from the primary onchain oracle when the offchain price is invalid. This is evident from the logic within the
_getPrice
function.https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L115-L128
However, when
offchainInvalid == false
, theoffchainPrice
will be zero, which can cause a revert in the following code block due to a price mismatch:https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L111-L113
Btw the issue was not covered by testing due to
disable the price difference check for easier testing
: https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/test/helpers/Setup.sol#L180Impact
An invalid price in the secondary oracle can disrupt the price fetch process. This is a medium severity issue because it affects core functionality.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/OracleModule.sol#L113
Tool used
Manual Review
Recommendation
Modify the code to compare the onchain and offchain price differences only when the offchain price is valid:
Duplicate of #177