gqrp - Fallback to onchain oracle wrongly implemented

[sherlock-admin2]

gqrp

medium

Fallback to onchain oracle wrongly implemented

Summary

Not working oracle fallback mechanism leads to a stalled contract.

Vulnerability Detail

As per a developer's note, it has been specified that the fallback in the _getPrice function should default to the on-chain oracle.

However, there is an issue in the implementation. When invoking the getPriceNoOlderThan in the _getOffChainPrice function is triggering an error, the returned value invalid is the to true. Consequently, the values returned for price and timestamp in this situation will be set to 0, as initialized in the _getOffchainPrice function declaration.

Due to these assigned values, the _getPrice function will revert and never fallback to the on-chain oracle in the case where offchainInvalid is true in the _getPrice function.

Impact

Stalled contract. Until the off-chain Oracle is restored, certain actions, such as announcing leverage adjustments, announcing leverage closure, execute open, execute adjust, execute close, close limited order, liquidations, or etc. cannot be processed.

Code Snippet

See provided links above.

Tool used

Manual Review

Recommendation

Review and revise the Oracle fallback mechanism to ensure that a fallback to the on-chain Oracle is possible in the event that the off-chain Oracle ceases to function.

Duplicate of #177

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[sherlock-admin]

The protocol team fixed this issue in PR/commit https://github.com/dhedge/flatcoin-v1/pull/270.