Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 84/127
Findings: 2
Award: $34.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: trustindistrust
Also found by: 0xbepresent, Jujic, Lambda, RaoulSchaffranek, c7e7eff, catchup, codexploder, cryptonue, d3e4, eierina, jwood, pashov, peanuts, pedroais, simon135
33.634 USDC - $33.63
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L53 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L61 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L349
Centralization risk : some only operator type functions can be used maliciously to hurt users. This can happen either by a malicious owner / operator or because of loss of keys. Web3 projects should have critical variables controlled by governance and not by single operator roles.
Some functions in inverse finance have an only gov modifier that allow the governance to make changes to key variables but there are some other critical functions that are callable by a centralized “operator”.
Someone controlling the operator private key could : Change the oracle to a malicious one to force liquidations onto borrowers https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L53 Directly change prices by adding “fixed prices” https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L61 Mint DBR and decrease it’s value https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L349
Use governance instead of operator for these changes or make values like the oracle feed immutable. If operator will be used, use a multisig wallet to manage it.
#0 - c4-judge
2022-11-05T22:48:00Z
0xean marked the issue as duplicate
#1 - Simon-Busch
2022-12-05T15:36:47Z
Issue marked as satisfactory as requested by 0xean
#2 - c4-judge
2022-12-07T08:22:05Z
Simon-Busch marked the issue as duplicate of #301
🌟 Selected for report: rbserver
Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives
0.385 USDC - $0.38
Oracle data can be stale which can lead to wrong calculations for collateral price.
When lastRoundData() is called only price is pulled from the provided data. The timestamp should be checked to ensure the data is updated.
The lastRounData() function is deprecated according to chainlink documentation. GetLatestPrice() should be used instead.
Documentation reference : https://docs.chain.link/docs/data-feeds/price-feeds/api-reference/
Recently a lending protocol was exploited when chainlink paused the oracle for LUNA. The protocol kept using a non-updated price as the collateral price. Reference : https://thecryptobasic.com/2022/05/13/blizz-finance-depleted-after-luna-feeds-pause-fingers-pointed-at-chainlink/
Check if the timestamp is at least from the last 24 hours to ensure a paused oracle doesn't pause the protocol.
#0 - neumoxx
2022-10-31T08:41:08Z
Duplicate of #601
#1 - c4-judge
2022-11-05T22:49:31Z
0xean marked the issue as duplicate
#2 - Simon-Busch
2022-12-05T15:29:41Z
Issue marked as satisfactory as requested by 0xean
#3 - c4-judge
2022-12-07T08:14:13Z
Simon-Busch marked the issue as duplicate of #584