search

sherlock-audit / 2024-05-midas-judging

13 stars 6 forks source link

Bigsam - Deposit will revert in a special case (possibly-high) : Potential Deposit Failures for New Users #128

Closed sherlock-admin4 closed 6 months ago

sherlock-admin4 commented 6 months ago

Bigsam

medium

Deposit will revert in a special case (possibly-high) : Potential Deposit Failures for New Users

Summary

According to the readme provided

IB01/USD Price from Chainlink is RESTRICTED, as their documentation states that the price will only be updated during defined market hours (weekends and holidays excluded), so we assume the price is only stale if more than three days have passed.

https://audits.sherlock.xyz/contests/332#:~:text=IB01/USD%20Price%20from%20Chainlink%20is%20RESTRICTED%2C%20as%20their%20documentation%20states%20that%20the%20price%20will%20only%20be%20updated%20during%20defined%20market%20hours%20(weekends%20and%20holidays%20excluded)%2C%20so%20we%20assume%20the%20price%20is%20only%20stale%20if%20more%20than%20three%20days%20have%20passed.

This report identifies an edge case in the deposit functionality of the protocol that could lead to deposit failures for new users on Easter Monday.

Easter Friday is a holiday, Saturday, Sunday and Easter Monday is also a holiday.

The issue arises due to a combination of factors: Stale Price Assumption: The protocol assumes a price is stale if it hasn't been updated in more than three days.

Easter Monday Exclusion: However, Easter Monday is not explicitly excluded from this assumption, even though it falls within the defined market hours (weekends and holidays excluded) for price updates.

Price Feed Deadline: The price feed used by the protocol (IB01/USD Price from Chainlink) has a deadline for updates, which could lead to stale prices on Easter Monday.

As a result, the deposit function might revert for new users attempting to deposit on Easter Monday due to the price being considered stale.

Vulnerability Detail

This is an edge case vulnerability caused by an inconsistency between the assumptions made by the protocol about price staleness and the actual behavior of the price feed on Easter Monday.

Impact

Deposit revert for new Users.

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L25-L27

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L73-L77

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L91

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L103-L105

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L160-L161

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L139

Tool used

Manual Review

Recommendation

1.Extend Price Feed Deadline: The deadline for price updates in the IB01/USD Price feed from Chainlink could be extended to four days. This would ensure that the price is considered valid even on Easter Monday.

  1. Protocol can also review and mitigate with a better option.

Duplicate of #110

WangSecurity commented 5 months ago

This report will be invalidated based on the escalation on #110.