cergyk - ValantisModule::setALMAndManagerFees Public vault owner can use upgradeable oracle to rug funds

[sherlock-admin4]

cergyk

medium

ValantisModule::setALMAndManagerFees Public vault owner can use upgradeable oracle to rug funds

Summary

The owner of a public vault can select any oracle in ValantisModule::setALMAndManagerFees (for example an upgradeable one).

If the oracle is controlled by the owner, they can rug the vault because ArrakisStandardManager::rebalance depends on info.oracle.getPrice0().

Vulnerability Detail

According to the contest README, public vault owners are restricted: README.md?plain=1#L33

A public vault owner can call ValantisModule::setALMAndManagerFees to “set HOT, oracle (wrapper of HOT), and init manager fees function.”: ValantisHOTModule.sol#L188

Therefore, a public vault owner can set any oracle of his choice, like an upgradeable one, which wouldn't arouse users' suspicions during the timelock imposed on the owner's actions, and later upgrade it to a malicious oracle to control the price returned by the oracle in ArrakisStandardManager::rebalance: ArrakisStandardManager.sol#L354.

Impact

Theft of funds due to price oracle manipulation.

Code Snippet

• ValantisHOTModule.sol#L176

Tool used

Manual Review

Recommendation

The protocol owner should whitelist a list of verified oracles and allow the public vault owners to choose only from this list.

Duplicate of #43