Open Dollar - 0xMosh's results

Lines of code

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L20

Vulnerability details

Impact

Protocol will always fail to fetch a asset price . Deployment of CamelotRelayer will fail .

Proof of Concept

CamelotRelayer contracts are supposed to consult a CamelotRelayer TWAP and transforms the result into a standard IBaseOracle feed .then the quote obtained from the pool query is transformed into an 18 decimals format

However the current address of Camelot V3 Factory being used is wrong . It's using Goerli's Camelot V3 Factory address instead of Arbitrum's address . This arises a huge issue of Protocol always failing to fetch a asset price .

  address internal constant _CAMELOT_FACTORY = GOERLI_CAMELOT_V3_FACTORY;

Tools Used

Etherscan

Recommended Mitigation Steps

Use Arbitrum's address of Camelot V3 Factory :

- address internal constant _CAMELOT_FACTORY = GOERLI_CAMELOT_V3_FACTORY;
+ address internal constant _CAMELOT_FACTORY = CAMELOT_V3_FACTORY;

Assessed type

Oracle

Lines of code

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L18

Vulnerability details

Impact

Protocol will always fail to fetch a asset price . Deployment of UniV3Relayer will fail .

Proof of Concept

UniV3Relayer contracts are supposed to consult a UniswapV3 TWAP and transforms the result into a standard IBaseOracle feed .then the quote obtained from the pool query is transformed into an 18 decimals format

However the current address of Uniswap V3 Factory being used is wrong . It's using Goerli's Uniswap V3 Factory address instead of Arbitrum's address . This arises a huge issue of Protocol always failing to fetch a asset price .

  address internal constant _UNI_V3_FACTORY = GOERLI_UNISWAP_V3_FACTORY;

Tools Used

Etherscan

Recommended Mitigation Steps

Use Arbitrum's address of Uniswap V3 Factory :

- address internal constant _UNI_V3_FACTORY= GOERLI_UNISWAP_V3_FACTORY ;
+ address internal constant _UNI_V3_FACTORY = UNISWAP_V3_FACTORY ;

Assessed type

Oracle

Lines of code

https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/Vault721.sol#L56

Vulnerability details

Impact

Detailed description of the impact of this finding.

Proof of Concept

Function initializeManager is for initializing the safemanager address of the vault contract . However lack of access control makes it vulnerable to fronrunning attacks . safemanager is the only authorized contract to mint safes in the vault contract .

 function initializeManager() external {
    if (address(safeManager) == address(0)) _setSafeManager(msg.sender);
  }

A malicious frontrunner can take advantages of this by below steps :

1. At first he'll frontrun the initializeManager function to gain the authority to mint safes .
2. call the build function to create a proxy for his account .
3. Now , calling mint function and mint as many safes of any safeId as he want .

Although , Governance can regain control of safemanager by calling setSafeManager . But , This attack will DOS the minting of actual safemanager as some of the safes are previously minted by the attacker as SAFEs are minted sequentially .

Tools Used

Manual Review .

Recommended Mitigation Steps

Add a onlyGovernor modifier to the initializeManager funciton .

Assessed type

Access Control