DittoETH - XDZIBECX's results

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L75

Vulnerability details

Impact

useing a cached oracle price (LibOracle.getPrice(p.asset)) with a 15-minute validity window to enhance the efficiency of the hint system for order placement. This design choice can lead to scenarios where the cached price does not reflect the current market conditions accurately due to volatility in the cryptocurrency markets The discrepancy between the cached oracle price and the actual market price at the time of redemption can result in unfair redemption outcomes. Proposers of redemptions might either benefit unduly or suffer losses due to the stale price information,

Proof of Concept

here is an example show the bug : Initial Cached Oracle Price: 100 Elapsed Time Since Last Oracle Update: 10 minutes (within the 15-minute cache window) Market Price: 120 Proposer's Price View: 118 (The price proposer believes to be accurate based on their information)

• The contract's cached oracle price is 100, which is outdated but still within the cache window, so it hasn't been updated.
• A user proposes a redemption based on their view that the oracle price is 118, which is close to the actual market price of 120.
• The contract compares the proposer's price view (118) against the cached oracle price (100).
• The price discrepancy (|118 - 100| = 18) exceeds 5% of the cached oracle price (5% of 100 = 5), leading to an "Unfair Redemption" classification due to significant price movement not reflected in the cached price

Tools Used

manual review

Recommended Mitigation Steps

need to add update mechanism that adjusts the frequency of oracle price updates based on observed market volatility.

Assessed type

Other