Skip to content

Latest commit

 

History

History
84 lines (58 loc) · 3.45 KB

013.md

File metadata and controls

84 lines (58 loc) · 3.45 KB

Flaky Merlot Parrot

High

Missing Oracle Reference Will Cause Failed Transactions for Users as Orders Will Revert

Summary

The missing validation for oracle existence in the AutomationMaster.sol contract will cause failed transactions for users as orders will revert during the exchange rate retrieval process.

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/AutomationMaster.sol#L82

Root Cause

In contract AutomationMaster: _getExchangeRate(), the following line:

 //AutomationMaster: _getExchangeRate()
uint256 priceIn = oracles[tokenIn].currentValue();

fails to check if oracles[tokenIn] is set before calling currentValue(). This omission results in a revert when an unset oracle (address 0) is accessed.

Internal pre-conditions

1.The oracles[tokenIn] must not be set (i.e., it equals address(0)). 2.The checkUpkeep() function must call MASTER.getExchangeRate(), which relies on oracles[tokenIn].

External pre-conditions

  1. A token pair involving a token with no assigned oracle must be used in an order.
  2. The system must not enforce validations when setting oracles for supported tokens.

Attack Path

  1. A user creates an order for a token pair where tokenIn lacks an associated oracle.

  2. The system processes the order and calls checkUpkeep(). https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L53

  3. checkUpkeep() calls checkInRange()to return the exchange rate https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L594 https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L611

  4. During the call to _getExchangeRate(), the contract attempts to fetch the exchange rate using oracles[tokenIn].currentValue(). The absence of an oracle for tokenIn causes the call to revert. https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/AutomationMaster.sol#L82

Impact

The users cannot execute or process their orders involving unsupported tokens, resulting in failed transactions. This can lead to:

  1. Loss of user trust in the platform.
  2. Increased manual intervention to resolve user complaints.

PoC

//AutomationMaster: _getExchangeRate()
pragma solidity >=0.8.0;

contract TestOracleIssue {
    mapping(address => IOracle) public oracles;

    function _getExchangeRate(IERC20 tokenIn, IERC20 tokenOut) internal view returns (uint256 exchangeRate) {
        // Missing oracle check leads to revert
        uint256 priceIn = oracles[address(tokenIn)].currentValue();
        uint256 priceOut = oracles[address(tokenOut)].currentValue();
        return (priceIn * 1e8) / priceOut;
    }
}
  1. Deploy a contract where tokenIn has no associated oracle.
  2. Call _getExchangeRate(tokenIn, tokenOut) and observe the transaction revert.

Mitigation

  1. Add a check for the existence of an oracle before retrieving the value:
//AutomationMaster: _getExchangeRate()
require(address(oracles[tokenIn]) != address(0), "Oracle for tokenIn not found");
uint256 priceIn = oracles[tokenIn].currentValue();
  1. Ensure all supported tokens have associated oracles before enabling their use.
  2. Include error handling to return meaningful feedback to users when oracles are missing.