search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

Psyduck - Protocol uses the wrong parameters for the onchain and offchain oracles #56

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

Psyduck

high

Protocol uses the wrong parameters for the onchain and offchain oracles

Summary

Protocol uses the wrong parameter for the onchain and offchain oracles

Vulnerability Detail

The protocol uses an oracle and an a backup oracle to fetch prices. This is encapsulated in the getprice function

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L102-L109

Now let's take a look at the nested function that calculates the price for the on chain orc

   if (block.timestamp > timestamp + onchainOracle.maxAge)

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L148

Here it is checking the maxage of the onchain oracle contract to see if the price is fresh enough to use. The same maxage is checked in the offchain oracle as well. 

 try oracle.getPriceNoOlderThan(offchainOracle.priceId, offchainOracle.maxAge) returns (
            PythStructs.Price memory priceData
        )

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L167

Both oracle contracts are supposed to be deployed by the protocol. However, when checking the deployment script, there is no maxage parameter for either the on chain oracle or the offchain oracle; there is only the chainlinkPriceExpiry for the onchain oracle and the pythMaxPriceAge for the off chain oracle. This error in calling the wrong parameter will cause unexpected reverts and make the protocol un useable.

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/scripts/deployment/configs/OracleModule.config.js#L6

It is also worth noting that it also uses the wrong parameter for the pyth price ID, as the one used in the script does not match the one listed in the price feed ids

https://pyth.network/developers/price-feed-ids

Impact

Oracle function will not work, causing the whole protocol to freeze

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/scripts/deployment/configs/OracleModule.config.js#L6

Tool used

Manual Review

Recommendation

Use the same parameters for the oracle used in the config file

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 8 months ago

Invalid, script files are out of scope for the contest