Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

XDZIBEC - Stale Data issue in Oracle Update and Consult Functions #92

Closed
sherlock-admin2 opened this issue Jan 10, 2024 · 7 comments
Closed

XDZIBEC - Stale Data issue in Oracle Update and Consult Functions #92

sherlock-admin2 opened this issue Jan 10, 2024 · 7 comments
Labels
Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 10, 2024
edited by Czar102
Loading

XDZIBEC

medium

Stale Data issue in Oracle Update and Consult Functions

Summary

see vulnerability details

Vulnerability Detail

the contract is serves as a TWAP oracle for a Curve MetaPool involving Dollar and 3CRV LP tokens.
and we have these functions :
- setPool is to Sets the Curve MetaPool for TWAP calculations.
- update toUpdates state variables based on the latest values from the MetaPool.
- consult is returns the price quote for a specified token.
the vulnerability is exists in both the update and consult functions, so the first function it's has Absence of a mechanism to ensure the oracle data is timely updated. and the consult function has no verification to ensure that the consulted data is fresh and not stale.

  • here is the vulnerable part :
   */
    function update() external {
        LibTWAPOracle.update();
    }

    /**
     * @notice Returns the quote for the provided `token` address
     * @notice If the `token` param is Dollar then returns 3CRV LP / Dollar quote
     * @notice If the `token` param is 3CRV LP then returns Dollar / 3CRV LP quote
     * @dev This will always return 0 before update has been called successfully for the first time
     * @param token Token address
     * @return amountOut Token price, Dollar / 3CRV LP or 3CRV LP / Dollar quote
     */
    function consult(address token) external view returns (uint256 amountOut) {
        return LibTWAPOracle.consult(token);
    }
}
  • if the actual market rate is more favorable than the stale rate, the attacker could use stale data in the oracle, to buy or sell large quantities of Dollar or 3CRV LP at non-market favorable prices, resulting in financial gain for the attacker and potential losses for other uninformed users.
  • The attacker could perform trades that take advantage of the stale data before others notice, or before the oracle is updated, and then manipulating the market in their favor.

Impact

  • let's Assume the update function hasn't been called for an extended period, and the market prices have significantly changed. A user consulting the oracle via the consult function during this period receives outdated price information. This incorrect information can be used to exploit market positions or execute trades at non-market favorable prices, and then leading to potential financial losses for uninformed users.

Code Snippet

Tool used

Manual Review

Recommendation

-it's need a timestamp check in the update function to ensure that the oracle data is not stale as an example to fix it is to is to define a maximum time interval within which data must be updated and revert the transaction if the current timestamp exceeds this interval since the last update.

Duplicate of #34
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jan 14, 2024
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about TWAP can be manipulated because update function can be called anytime and by anyone, thus TWAP period can be as short as 1 block. It seems like a valid issue but after caeful consideration, it's noticed that the TWAP issue does not come from its period but the logic itself is incorrect, thus marking this as Invalid

@github-actions github-actions bot reopened this Jan 16, 2024
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 16, 2024
This was referenced Jan 16, 2024
Closed
Closed
Closed
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

The issue describes about TWAP can be manipulated because update function can be called anytime and by anyone, thus TWAP period can be as short as 1 block. It seems like a valid issue but after caeful consideration, it's noticed that the TWAP issue does not come from its period but the logic itself is incorrect, thus marking this as Invalid

@rndquu
Copy link

rndquu commented Jan 17, 2024

@molecula451 @gitcoindev

This seems to be a duplicate of #13

@gitcoindev
Copy link

@molecula451 @gitcoindev

This seems to be a duplicate of #13

Yes, this looks like #13 . I guess both should be accepted then, but one marked as a duplicate.

@gitcoindev gitcoindev added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Jan 17, 2024
@rndquu rndquu mentioned this issue Jan 18, 2024
Closed
9 tasks
@gitcoindev gitcoindev mentioned this issue Jan 18, 2024
Closed
@nevillehuang
Copy link
Collaborator

Agree with sponsor, duplicating with #13, given while the underyling issue of updating the underlying pool is not mentioned as in #13, the watsons are technically not wrong per say by indicating an update required by using a stale time interval.

@nevillehuang nevillehuang added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 23, 2024
@sherlock-admin2 sherlock-admin2 changed the title Sparkly Taffy Shark - Stale Data issue in Oracle Update and Consult Functions XDZIBEC - Stale Data issue in Oracle Update and Consult Functions Jan 24, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jan 24, 2024
@osmanozdemir1 osmanozdemir1 mentioned this issue Jan 24, 2024
Open
@Czar102 Czar102 removed the Medium A valid Medium severity issue label Feb 19, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Feb 19, 2024
@sherlock-admin2 sherlock-admin2 removed the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Feb 20, 2024
@sherlock-admin
Copy link
Contributor

The protocol team fixed this issue in PR/commit ubiquity/ubiquity-dollar#893.

@sherlock-admin
Copy link
Contributor

The Lead Senior Watson signed off on the fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Czar102 @gitcoindev @nevillehuang @sherlock-admin @rndquu @sherlock-admin2