DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Asset cannot deactivate by setting its oracle to the zero address

kiteweb3

Summary

setAssetOracle in OwnerFacet.sol (line 130-133) is intended to allow the updating of the oracle for a given asset. However, the implementation of this function does not allow for the deactivation of an asset by setting its oracle to the zero address.

Vulnerability Details

The _setAssetOracle function, which is called by setAssetOracle, includes a safety check that reverts the transaction if either the asset or oracle parameters are the zero address.

Line 320:

if (asset == address(0) || oracle == address(0))
revert Errors.ParameterIsZero();

This prevents the setAssetOracle function from being used to deactivate an asset by setting its oracle to the zero address.

Impact

The inability to deactivate an asset could have significant implications on the system. If an asset becomes compromised or is no longer valid for some reason, there isn't the way to deactivate it without modifying the contract.

Tools Used

Manual

Recommendations

Add a separate function for deactivating assets. This function could set the oracle of an asset to the zero address without reverting.

function deactivateAsset(address asset) external onlyDAO {
s.asset[asset].oracle = address(0);
emit Events.UpdateAssetOracle(asset, address(0));
}

Consider also to include additional safety checks in this function to prevent assets from being deactivated accidentally.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: User experience and design improvement
kiteweb3 Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: User experience and design improvement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.