Skip to content

Latest commit

 

History

History
73 lines (50 loc) · 2.92 KB

090.md

File metadata and controls

73 lines (50 loc) · 2.92 KB

Calm Clear Troll

Medium

Missing tokenOut Oracle Validation in Bracket::_createOrder(). Malicious actors can DoS and impact users calling the _createOrder function.

Summary

There is an incorrect or rather missing check of address(MASTER.oracles(tokenOut)) != address(0x0) in Bracket.sol:457 where the code was intended to do the check, instead it does the oracle validation check on tokenIn twice which will lead to a revert at the oracle interaction level. This oversight allows malicious actors to potentially create invalid orders or perform a Denial of Service (DoS) attack, preventing users from creating time-sensitive orders.

Root Cause

In Bracket.sol:457, the _createOrder() function contains a critical validation error where the oracle existence check mistakenly validates tokenIn twice instead of checking both tokenIn and tokenOut.

This directly contradicts the explicit developer intent, as evidenced by the function's own comment:

//verify both oracles exist, as we need both to calc the exchange rate.

The current implementation fundamentally breaks the developers' core design goal of ensuring both token oracles are validated before order creation. The comment and the require statement were explicitly intended to prevent order creation without complete oracle information, yet the implementation fails to achieve this protection.

//verify both oracles exist, as we need both to calc the exchange rate
        require(
            address(MASTER.oracles(tokenIn)) != address(0x0) &&
                address(MASTER.oracles(tokenIn)) != address(0x0),
            "Oracle !exist"
        );

Internal pre-conditions

  1. Contract is deployed and operational
  2. Oracle system is configured

External pre-conditions

Malicious actor has identified the vulnerability

Attack Path

  1. Identify a valid tokenIn with an existing oracle
  2. Specify a tokenOut with: Zero address
  3. Attempt to create an order
  4. Exploit the incomplete validation to: Block order creation Prevent time-sensitive calls to the function
  5. Repeatedly submit transactions to DOS the function

Impact

  1. Denial of Service for _createOrder() function
  2. Prevention of users creating time-sensitive orders
  3. Potential economic loss due to missed opportunities
  4. Disruption of core contract functionality by circumventing the intended oracle existence check
  5. Directly undermines the developers' intended oracle validation mechanism
  6. Contradicts the explicit comment explaining the validation's purpose

PoC

No response

Mitigation

Change the oracle validation to check both tokenIn and tokenOut:

require(
    address(MASTER.oracles(tokenIn)) != address(0x0) && 
    address(MASTER.oracles(tokenOut)) != address(0x0),  // Fix: Check tokenOut oracle
    "Oracle !exist"
);