Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 20
Participants: 39
Period: 7 days
Judges: moose-code, JasoonS
Total Solo HM: 13
Id: 89
League: ETH
Rank: 34/39
Findings: 1
Award: $142.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x0x0x, 0x1f8b, 0xwags, CertoraInc, Dravee, IllIllI, Meta0xNull, Nikolay, Omik, WatchPug, bobi, cccz, csanuragjain, danb, gzeon, hubble, hyh, itsmeSTYJ, jayjonah8, kenta, kirk-baird, leastwood, pauliax, peritoflores, rfa, robee, sorrynotsorry, ye0lde
142.3223 USDC - $142.32
Using Oracle#setStablePrice() , a stable price can be set. By doing so, oracle will be deactivated and the given stable price will be used. Currently this contract is not behind a timelock contract as a consequence Governance has centralized control over the pricing without enough reaction time for users. So by changing the price, a rug pull can be performed. (Even on a single block by transferring the governance to a contract, then investing and changing the price.)
As a consequence, current approach is too central and does not protect users.
(Similar logic and attack applies for setAggregator, since with a malicious aggregator a wrong price can be returned.)
Use timelock
#0 - atvanguard
2022-02-24T07:11:40Z
Duplicate of #40
#1 - JeeberC4
2022-03-24T20:31:33Z
Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency. The original title, for the record, was Oracle#setStablePrice() can be used for rug pull