ValantisModule::setALMAndManagerFees Public vault owner can use upgradeable oracle to rug funds
Summary
The owner of a public vault can select any oracle in ValantisModule::setALMAndManagerFees (for example an upgradeable one).
If the oracle is controlled by the owner, they can rug the vault because ArrakisStandardManager::rebalance depends on info.oracle.getPrice0().
Vulnerability Detail
According to the contest README, public vault owners are restricted: README.md?plain=1#L33
A public vault owner can call ValantisModule::setALMAndManagerFees to “set HOT, oracle (wrapper of HOT), and init manager fees function.”: ValantisHOTModule.sol#L188
Therefore, a public vault owner can set any oracle of his choice, like an upgradeable one, which wouldn't arouse users' suspicions during the timelock imposed on the owner's actions, and later upgrade it to a malicious oracle to control the price returned by the oracle in ArrakisStandardManager::rebalance: ArrakisStandardManager.sol#L354.
cergyk
medium
ValantisModule::setALMAndManagerFees Public vault owner can use upgradeable oracle to rug funds
Summary
The owner of a public vault can select any oracle in
ValantisModule::setALMAndManagerFees
(for example an upgradeable one).If the oracle is controlled by the owner, they can rug the vault because
ArrakisStandardManager::rebalance
depends oninfo.oracle.getPrice0()
.Vulnerability Detail
According to the contest README, public vault owners are restricted: README.md?plain=1#L33
A public vault owner can call
ValantisModule::setALMAndManagerFees
to “set HOT, oracle (wrapper of HOT), and init manager fees function.”: ValantisHOTModule.sol#L188Therefore, a public vault owner can set any oracle of his choice, like an upgradeable one, which wouldn't arouse users' suspicions during the timelock imposed on the owner's actions, and later upgrade it to a malicious oracle to control the price returned by the oracle in
ArrakisStandardManager::rebalance
: ArrakisStandardManager.sol#L354.Impact
Theft of funds due to price oracle manipulation.
Code Snippet
Tool used
Manual Review
Recommendation
The protocol owner should whitelist a list of verified oracles and allow the public vault owners to choose only from this list.
Duplicate of #43