Badger eBTC Audit + Certora Formal Verification Competition - twcctop's results

Lines of code

https://github.com/code-423n4/2023-10-badger/blob/99796c52f25618d706752fe51f80d146629fc4c6/packages/contracts/contracts/PriceFeed.sol#L57-L89

Vulnerability details

Impact

PriceFeed constructor doesn't check fallbackCaller state, it assumes fallbackCaller is trusted without any check. It may set the wrong state of oracle status.

Proof of Concept

status is to show the status of Oracle in init or previous call fetchPrice.It affects the return value of price and trusted status of oracle.Every time of status change should check current oracle return value and this will guarantee next call of fetchPrice have a right status to refer to. But in constructor,status is set to chainlinkWorking,and it doesn't check the state of fallback oracle.It assume fallback oracle works well. It will provide a bad reference to next call of fetchPrice , and it's possible to return imprecise oracle value. If don't check fallback oracle value,the status should be usingChainlinkFallbackUntrusted

Tools Used

manual

Recommended Mitigation Steps

diff --git a/packages/contracts/contracts/PriceFeed.sol b/packages/contracts/contracts/PriceFeed.sol
index ef244d4..5f7438a 100644
--- a/packages/contracts/contracts/PriceFeed.sol
+++ b/packages/contracts/contracts/PriceFeed.sol
@@ -85,7 +85,7 @@ contract PriceFeed is BaseMath, IPriceFeed, AuthNoOwner {
         _storeChainlinkPrice(chainlinkResponse.answer);

         // Explicitly set initial system status after `require` checks
-        status = Status.chainlinkWorking;
+        status = Status.usingChainlinkFallbackUntrusted;
     }

     // --- Functions ---
~

Assessed type

Oracle