Skip to content

Latest commit

 

History

History
68 lines (45 loc) · 2.78 KB

088.md

File metadata and controls

68 lines (45 loc) · 2.78 KB

Witty Cinnamon Barracuda

Medium

Inconsistent Oracle Checks leads to by incorrect calculations or bypass the check

Summary

No response

Root Cause

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L456C1-L462C1 modifyOrder function only checks for the presence of an oracle for the new _tokenOut if, and only if, it differs from the original tokenOut

Let's say Alice wants to trade ETH for LINK. Assume both ETH and LINK have valid oracle registrations when she starts.

  1. Alice Creates an Order: Alice calls createOrder to set up a bracket order. She specifies:

    • tokenIn: ETH (has a valid oracle)
    • tokenOut: LINK (has a valid oracle)
    • takeProfit: 2 ETH per LINK (the price at which she wants to sell)
    • stopPrice: 1.5 ETH per LINK (the price at which she wants to exit to limit losses)

    Because both ETH and LINK initially have oracles, her order is created without issues.

require(
            address(MASTER.oracles(tokenIn)) != address(0x0) &&
                address(MASTER.oracles(tokenIn)) != address(0x0),//@audit used same tokenIn
            "Oracle !exist"
        );
  1. LINK Oracle Malfunctions: A few hours later, there's a problem with the LINK oracle. Maybe it's temporarily down, or perhaps it was deliberately compromised. The point is, the LINK price feed is no longer available.
  2. Alice Modifies Her stopPrice: Alice decides she wants to adjust her stopPrice to 1.7 ETH per LINK. She calls modifyOrder, providing the new stopPrice but keeping the same tokenOut (LINK).
  3. The Missing Check: Because modifyOrder only checks for a valid oracle if the tokenOut is changed, it doesn't notice that the LINK oracle is now gone. Alice's order is updated with the new stopPrice, but it now points to a tokenOut with a broken price feed.
  4. Order Execution Attempt: Later, the checkUpkeep function runs, trying to determine if Alice's order should be triggered. It calls checkInRange, which needs to get the current ETH/LINK exchange rate.
  5. Failure: The system tries to get the ETH/LINK price from the MASTER contract, but the LINK oracle. Alice's order fails to execute. If getExchangeRate doesn't revert but instead returns incorrect value, Alice's order could execute at a completely unintended price, resulting in financial losses.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

require(
    address(MASTER.oracles(tokenIn)) != address(0x0) &&
    address(MASTER.oracles(tokenOut)) != address(0x0),
    "Oracle !exist"
);