Here it is checking the maxage of the onchain oracle contract to see if the price is fresh enough to use. The same maxage is checked in the offchain oracle as well.
Both oracle contracts are supposed to be deployed by the protocol. However, when checking the deployment script, there is no maxage parameter for either the on chain oracle or the offchain oracle; there is only the chainlinkPriceExpiry for the onchain oracle and the pythMaxPriceAge for the off chain oracle. This error in calling the wrong parameter will cause unexpected reverts and make the protocol un useable.
It is also worth noting that it also uses the wrong parameter for the pyth price ID, as the one used in the script does not match the one listed in the price feed ids
Psyduck
high
Protocol uses the wrong parameters for the onchain and offchain oracles
Summary
Protocol uses the wrong parameter for the onchain and offchain oracles
Vulnerability Detail
The protocol uses an oracle and an a backup oracle to fetch prices. This is encapsulated in the getprice function
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L102-L109
Now let's take a look at the nested function that calculates the price for the on chain orc
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L148
Here it is checking the maxage of the onchain oracle contract to see if the price is fresh enough to use. The same maxage is checked in the offchain oracle as well.
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L167
Both oracle contracts are supposed to be deployed by the protocol. However, when checking the deployment script, there is no maxage parameter for either the on chain oracle or the offchain oracle; there is only the chainlinkPriceExpiry for the onchain oracle and the pythMaxPriceAge for the off chain oracle. This error in calling the wrong parameter will cause unexpected reverts and make the protocol un useable.
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/scripts/deployment/configs/OracleModule.config.js#L6
It is also worth noting that it also uses the wrong parameter for the pyth price ID, as the one used in the script does not match the one listed in the price feed ids
https://pyth.network/developers/price-feed-ids
Impact
Oracle function will not work, causing the whole protocol to freeze
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/scripts/deployment/configs/OracleModule.config.js#L6
Tool used
Manual Review
Recommendation
Use the same parameters for the oracle used in the config file