Orbiting Goldenrod Jaguar
High
Incorrect oracle validation logic will cause an invalid order creation vulnerability for users as malicious actors will create orders with non-existent tokenOut oracles, leading to potential price manipulation and failed executions.
https://github.com/sherlock-audit/2024-11-oku-Lu-zihang/blame/e8a9b54b988b021a707e13b8f8048b1b9cc1d602/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L458-L459 In Bracket.sol:459 there is a duplicate check of tokenIn oracle instead of checking tokenOut oracle in the require statement.
No response
No response
No response
The users suffer from incorrect order execution and potential fund loss, as the missing tokenOut oracle validation affects these critical functions:
-
checkInRange()- Uses invalid oracle:exchangeRate = MASTER.getExchangeRate(order.tokenIn, order.tokenOut); -
Order creation - Sets wrong direction:
direction: MASTER.getExchangeRate(tokenIn, tokenOut) > takeProfit -
execute()- Calculates wrong minimum received amount:execute() - Calculates wrong minimum received amount:MASTER.getMinAmountReceived(amountIn, tokenIn, tokenOut, bips) -
Exchange Rate Calculation Failure:
function _getExchangeRate(IERC20 tokenIn, IERC20 tokenOut) internal view returns (uint256) {
uint256 priceIn = oracles[tokenIn].currentValue();
>@ uint256 priceOut = oracles[tokenOut].currentValue(); // Will revert if oracle doesn't exist
return (priceIn * 1e8) / priceOut;
}No response
function _createOrder(
uint256 takeProfit,
uint256 stopPrice,
uint256 amountIn,
uint96 existingOrderId,
IERC20 tokenIn,
IERC20 tokenOut,
address recipient,
uint16 feeBips,
uint16 takeProfitSlippage,
uint16 stopSlippage
) internal {
//verify both oracles exist, as we need both to calc the exchange rate
require(
address(MASTER.oracles(tokenIn)) != address(0x0) &&
- address(MASTER.oracles(tokenIn)) != address(0x0),
+ address(MASTER.oracles(tokenOut)) != address(0x0),
"Oracle !exist"
);
........