063.md

Muscular Ceramic Dragonfly

Medium

Vulnerability in Oracle Registration Allows for Incorrect Exchange Rates

Summary

The missing check in getExchangeRate will cause a complete loss of funds for users as an attacker can exploit the lack of registered oracles to obtain incorrect exchange rates.

Root Cause

In getExchangeRate function, there is no validation to ensure that the oracles for the specified tokens are registered. This oversight allows an attacker to manipulate the exchange rates by calling the function with unregistered oracles, potentially leading to financial losses.

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/AutomationMaster.sol#L70-L87

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. An attacker calls getExchangeRate(tokenIn, tokenOut) without registering the required oracles.
2. The function retrieves zero or incorrect values for the exchange rates.
3. The attacker utilizes these manipulated rates to execute trades, resulting in financial losses for users.

Impact

No response

PoC

contract TestVulnerability {  
    VulnerableExchange exchange;  
  
    function setUp() public {  
        exchange = new VulnerableExchange();  
    }  
  
    function testInvalidExchangeRate() public {  
        IERC20 tokenIn = IERC20(address(0)); // Using a dummy token  
        IERC20 tokenOut = IERC20(address(0)); // Using a dummy token  
  
        // Not registering oracles to test the vulnerability  
        // exchange.registerOracle(tokenIn, oracle); // Commented out to demonstrate vulnerability  
  
        // Attempting to get exchange rate should lead to division by zero  
        uint256 rate = exchange.getExchangeRate(tokenIn, tokenOut); // Expecting error or incorrect value  
    }  
}  

Mitigation

No response