Skip to content

Latest commit

 

History

History
36 lines (22 loc) · 1.15 KB

057.md

File metadata and controls

36 lines (22 loc) · 1.15 KB

Decent Smoke Owl

High

Tokens used are not checked in OracleLess contract

Summary

There are not checks in OracleLess contract to verify that tokens used are supported.

Root Cause

No checks when creating orders that tokens are supported.

createOrder(): https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/automatedTrigger/OracleLess.sol#L38C1-L67C6

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

Providing two examples:

Protocol is not designed to support FoT tokens and using such tokens would brick the tokens accounting. Creating orders with custom malicious tokens can prevent admin of canceling such order as when canceling an order it is needed to transfer the tokenIn to the recipient. Malicious tokens can for example blackist the OracleLess contract and the function will revert. Not being able to cancel order would lead to indefinitely grow of pendingOrderIds array leading to DoS because of block gas limit.

Impact

Unexpected behaviour - wrong accounting, DoS.

PoC

No response

Mitigation

Add whitelisting mechanism.