search

sherlock-audit / 2024-02-rio-network-core-protocol-judging

4 stars 4 forks source link

0xumarkhatab - H-1 : DoS while adding Ether Pair asset in RioLRTAssetRegistry #265

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

0xumarkhatab

high

H-1 : DoS while adding Ether Pair asset in RioLRTAssetRegistry

Summary

Due to an incorrect feed address check , the _addAsset will always revert when adding assets price feeds involving ether as one token.

Vulnerability Detail

The _addAsset incorrectly validates the ether-toke pair parice feed.

 function _addAsset(AssetConfig calldata config) internal {
        if (isSupportedAsset(config.asset)) revert ASSET_ALREADY_SUPPORTED(config.asset);
        if (config.asset == address(0)) revert INVALID_ASSET_ADDRESS();

        uint8 decimals = config.asset == ETH_ADDRESS ? 18 : IERC20Metadata(config.asset).decimals();
        if (config.asset == ETH_ADDRESS) {
 ->>>         if (config.priceFeed != address(0)) revert INVALID_PRICE_FEED();
            if (config.strategy != BEACON_CHAIN_STRATEGY) revert INVALID_STRATEGY();
        } else {

Instead of checking for a zero address and if the price feed is zero ( the address of feed is invalid ) and revert, It does the opposite case. 

  if (config.priceFeed != address(0)) revert INVALID_PRICE_FEED();

Likehood : High Impact : High

Impact

Ether based assets will not be added in Registry

Code Snippet

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTAssetRegistry.sol#L331-L332

Tool used

Manual Review

Recommendation

Replace the != check by ==

 if (config.priceFeed == address(0)) revert INVALID_PRICE_FEED();
nevillehuang commented 7 months ago

Invalid, check is correct