070.md

Boxy Ash Ant

Medium

Incorrect Oracle Validation Allows Order Creation with Missing Output Token Oracle

Summary

In the Bracker::_createOrder function, there's a critical logic error in oracle validation where tokenIn is checked twice instead of checking both tokenIn and tokenOut. This allows orders to be created with non-existent oracles for output tokens, leading to stuck orders that can never be executed.

Root Cause

The validation code incorrectly checks the same token twice:

    function _createOrder(
        uint256 takeProfit,
        uint256 stopPrice,
        uint256 amountIn,
        uint96 existingOrderId,
        IERC20 tokenIn,
        IERC20 tokenOut,
        address recipient,
        uint16 feeBips,
        uint16 takeProfitSlippage,
        uint16 stopSlippage
    ) internal {
        //verify both oracles exist, as we need both to calc the exchange rate
        //@audit invalid oracles
        require(
            address(MASTER.oracles(tokenIn)) != address(0x0) &&
                address(MASTER.oracles(tokenIn)) != address(0x0),
            "Oracle !exist"
        );

https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L459

Internal pre-conditions

tokenIn has a valid oracle tokenOut does not have an oracle configured Order creation succeeds because only tokenIn is checked

External pre-conditions

No response

Attack Path

No response

Impact

Users unaware of the oracle validation can create orders that cant be executed. This could cause financial loss for them since they would exect their orders to be filled on time

PoC

No response

Mitigation

Fix the oracle validation:

        require(
            address(MASTER.oracles(tokenIn)) != address(0x0) &&
                address(MASTER.oracles(tokenOut)) != address(0x0),
            "Oracle !exist"
        );