Skip to content

Latest commit

 

History

History
44 lines (29 loc) · 1.34 KB

053.md

File metadata and controls

44 lines (29 loc) · 1.34 KB

Decent Smoke Owl

High

Wrong check for tokenOut oracle for bracket orders

Summary

Creation of bracket order does not check if the tokenOut is supported.

Root Cause

There is a wrong check in _createOrder() in Bracket contract:

        require(
            address(MASTER.oracles(tokenIn)) != address(0x0) &&
                address(MASTER.oracles(tokenIn)) != address(0x0),
            "Oracle !exist"
        );

Function wrongly double checks if tokenIn has an oracle instead of checking both tokenIn and tokenOut.

https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L457C1-L461C11

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

Users can use all kind of unsupported/malicious tokens.

Impact

This leads to unexpected behavior as core assumption that only supported tokens will be used.

One of the impacts of this would be creating such orders for not supported tokenOut. Trying to check if these orders are inRange would always fail as there is not an oracle defined to get the exchange rate. This will brick the whole automation process since checkUpkeep is always going to revert when it reach such order.

PoC

N/A

Mitigation

Check if both tokenIn and tokenOut has oracles.