DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unvalidated Asset Address in getOraclePrice Function

0xch

Summary

Vulnerability Details

The function getOraclePrice does not validate if the provided asset address is valid or not.

Impact

This could potentially lead to unexpected behavior or manipulation if an invalid or malicious address is passed. An attacker could exploit this vulnerability by passing in a malicious contract address that could return manipulated data, leading to incorrect oracle prices being returned. This could have serious implications for any dependent functionality in the contract.## Tools Used
Manual

Recommendations

To resolve this issue, you should add a validation check for the 'asset' address before it's used in the getOraclePrice function. This can be done by creating a modifier that checks if the 'asset' address is a valid contract address and is not a malicious contract. Here is an example of how you can implement this:

modifier validAsset(address _asset) {
require(_asset != address(0), "Asset address cannot be 0");
uint32 size;
assembly {
size := extcodesize(_asset)
}
require(size > 0, "Asset address must be a contract");
_;
}
function getOraclePrice(address asset) internal view validAsset(asset) returns (uint256) {
// existing code
}

This modifier first checks if the 'asset' address is not the 0 address. Then it checks if the 'asset' address is a contract by checking the size of the code at that address. If the size is greater than 0, it means it's a contract. If either of these checks fail, it will revert the transaction. This way, you can ensure that the 'asset' address is a valid contract address before it's used in the getOraclePrice function.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.