search

zlsecure3 / review_Aark

0 stars 0 forks source link

centralization issue for the oracle #36

Open zlsecure3 opened 1 year ago

zlsecure3 commented 1 year ago

subject

centralization issue for the oracle

description

the vault claims that they use the stork oracle to get a more accurate price on-chain. however, inside its FeedVerifier implementation, the valid signer is controlled by the project owner. basically, the owner can submit any number as a price into the Aark system. for the officialStorkFeedVerifier, according to the stork docs, it is basically a ecrecover funciton. it does not verify the oracle_pubkey is valid or not. and the oracle_pubkey is controlled by the project.

function verifySignature(
        address oracle_pubkey,
        string memory asset_pair_id,
        uint256 timestamp,
        uint256 price,
        bytes32 r,
        bytes32 s,
        uint8 v
    ) public pure returns (bool) {
        bytes32 msg_hash = getMessageHash(oracle_pubkey, asset_pair_id, timestamp, price);
        bytes32 signed_message_hash = getEthSignedMessageHash32(msg_hash);

        // Verify hash was generated by the actual user
        address signer = getSigner(signed_message_hash, r, s, v);
        return (signer == oracle_pubkey) ? true : false;
    }

while inside the FeedVerifier contract, the verifySignature function staticcall the officialStorkFeedVerifier address for the verifySignature.

since the signer is valid only by passing the following requirement

require(isPublisher[signaturedPrice.oraclePubkey], "Is not a publisher");

the project owner can basically set their own address as a valid publisher, and send whatever price into the oracle. and it will be thought as valid.

recommendation

consider use the chainlink instead. to reduce the centralization, avoid Rug pull possibilities.

locations

severity

Low

damage

exploitability

category

Oracle Manipulation

system_generated: auditor:comcat submission_id:1772554115

zlsecure3 commented 1 year ago

grading (edit)

submission_id:1772554115

review_type:GRADING

result: TBD-yes,no

rating: TBD-123

comment: TBD-Rejected,Accepted by Secure3.

severity: TBD-Critical,Medium,Low,Informational

category:

description:

zlsecure3 commented 1 year ago

client feedback (manual copy)

submission_id:1772554115

review_type:CLIENT_FEEDBACK

result: TBD-yes,no

severity: TBD-Critical,Medium,Low,Informational

comment:

zlsecure3 commented 1 year ago

client feedback decision(edit)

submission_id:1772554115

review_type:CLIENT_FEEDBACK_DECISION

result: TBD-yes,no,yes-honored,no-honored

severity: TBD-Critical,Medium,Low,Informational

comment: