Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

rvierdiiev - TWAPOracleDollar3poolFacet.setPool can be griefed #69

Closed
sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Closed

rvierdiiev - TWAPOracleDollar3poolFacet.setPool can be griefed #69

sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 10, 2024
edited
Loading

rvierdiiev

medium

TWAPOracleDollar3poolFacet.setPool can be griefed

Summary

Attacker can not allow ubiqiuty protocol to call TWAPOracleDollar3poolFacet.setPool, because of pool balance check

Vulnerability Detail

TWAPOracleDollar3poolFacet.setPool function allows protocol to set their curve pool that will be used to fetch prices.
The function has balance check that wants reserves to be equal.

Such check allows anyone to change reserves in the pool, before setPool call in order to make tx fail. Then protocol will need to redeploy library and remove check or create a script that will control balance in the pool to be equal to be able to set the pool.

Impact

Attacker can not allow to setPool.

Code Snippet

Provided above

Tool used

Manual Review

Recommendation

Remove that check.

Duplicate of #14
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jan 14, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about DOSing setPool function by manipulating the Curve pool, but it's assumed that the Curve pool deployment, LP deposit, and setPool will be handled in one tx using multicall structure

@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 16, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about DOSing setPool function by manipulating the Curve pool, but it's assumed that the Curve pool deployment, LP deposit, and setPool will be handled in one tx using multicall structure

@sherlock-admin sherlock-admin changed the title Macho Heather Mammoth - TWAPOracleDollar3poolFacet.setPool can be griefed rvierdiiev - TWAPOracleDollar3poolFacet.setPool can be griefed Jan 24, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 24, 2024
@Czar102 Czar102 removed the Medium A valid Medium severity issue label Feb 14, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Feb 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2