sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid:
Closed sherlock-admin closed 7 months ago
sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid:
ge6a
medium
OracleModule is not compatible with the existing Chainlink/Pyth feeds
Summary
The OracleModule is used to obtain the price of rETH. Two oracles are used, and the price obtained from both is compared. Therefore, they are expected to be in the same currency. The problem is that Chainlink does not have a feed for rETH/USD on Base, only for rETH/ETH. On the other hand, Pyth only has a feed for rETH/USD. Therefore, the two oracles are incompatible with the given implementation, and there is no way to configure the module to work correctly.
Vulnerability Detail
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L106-L136
Impact
The OracleModule is used by almost every part of the protocol; therefore, we are talking about broken core functionality. Based on the README file and the provided code, there is no way for me to know how the developers intend to configure it, so I am submitting this report.
Code Snippet
Above
Tool used
Manual Review
Recommendation
Accommodate both rETH/ETH and ETH/USD from Chainlink in order to get rETH/USD price.
Duplicate of #90