search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

ni8mare - There is no oracle for reth/usd on base and the protocol does not account for it. #241

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 8 months ago

ni8mare

high

There is no oracle for reth/usd on base and the protocol does not account for it.

Summary

There is no oracle for reth/usd and the protocol does not account for it.

Vulnerability Detail

The reth oracle on base is for the pair reth/eth - https://docs.chain.link/data-feeds/price-feeds/addresses?network=base&page=1&search=reth. So, the contract needs to be updated to use reth/eth and eth/usd oracles to get the price of reth/usd. While doing so, care must also be taken to use 2 different heartbeats associated with each oracle to check for staleness.

Impact

The wrong price of the asset will be used by the protocol

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L138C1-L158C1

Tool used

Manual Review

Recommendation

Use the 2 different oracles as mentioned above.

Duplicate of #90

sherlock-admin commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: