PendlePTOracle does not check pendle oracle's health with every call
Summary
The PendlePTOracle checks the pendle oracle's health only once (in constructor) not accounting for potential failures or periods where reporting is unreliable that might occur later on
Vulnerability Detail
The PendlePTOracle checks the health of the specific market oracle on Pendle Oracle with the following code in the Constructor:
However, the state of the Pendle Oracle for the market is dynamic and can change over time, making the use of this sanity check necessary at the start of every call to _calculateBaseToQuote, (in the same way that the sequencer health check (_checkSequencer) is conducted before every call). Failing to check the pendle oracle health with every call can lead to inaccurate price reports in periods where the Pendle Oracle reporting for the market is unreliable such as when increaseCardinalityRequired in non-zero (not enough reporters) or oldestObservationSatisfied is false (no recent enough samples) causing unbound financial damage to users.
root cause
failure to check Pendle Oracle health before every call to _calculateBaseToQuote
Impact
Inaccurate price reports when pendle oracle health for the market is compromised, leading to disruption in account health checks and failures in TradingMudule token trades (i.e. when exiting the market).
nirohgo
Medium
PendlePTOracle does not check pendle oracle's health with every call
Summary
The PendlePTOracle checks the pendle oracle's health only once (in constructor) not accounting for potential failures or periods where reporting is unreliable that might occur later on
Vulnerability Detail
The PendlePTOracle checks the health of the specific market oracle on Pendle Oracle with the following code in the Constructor:
However, the state of the Pendle Oracle for the market is dynamic and can change over time, making the use of this sanity check necessary at the start of every call to _calculateBaseToQuote, (in the same way that the sequencer health check (_checkSequencer) is conducted before every call). Failing to check the pendle oracle health with every call can lead to inaccurate price reports in periods where the Pendle Oracle reporting for the market is unreliable such as when increaseCardinalityRequired in non-zero (not enough reporters) or oldestObservationSatisfied is false (no recent enough samples) causing unbound financial damage to users.
root cause
failure to check Pendle Oracle health before every call to _calculateBaseToQuote
Impact
Inaccurate price reports when pendle oracle health for the market is compromised, leading to disruption in account health checks and failures in TradingMudule token trades (i.e. when exiting the market).
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/14d3eaf0445c251c52c86ce88a84a3f5b9dfad94/leveraged-vaults-private/contracts/oracles/PendlePTOracle.sol#L65
Tool used
Manual Review
Recommendation
Extract the pendle oracle health check code into a separate function and call the function from within both the constructor and _calculateBaseToQuote