Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper contract initialization resulting to unexpected behavior.

Obin

Summary

Vulnerability Details

  1. function consult(address) is a public view function.

  2. It utilized return values from the internal function calls in _chainlinkIsFrozen() and _chainlinkIsBroken()

  3. _chainlinkIsFrozen() depends on the mapping maxDelays[token];

  4. _chainlinkIsBroken() depends on the function _badPriceDeviation() which in turn depends on the mapping maxDeviations[token];

  5. These mappings are set by the functions addTokenMaxDelay() and addTokenMaxDeviation() respectively.

  6. Unfortunately, these functions aren't set at construction time hence a transit time vulnerability is created and reflect on behavior of function consult() which is a public view function.
    This behavior during this transit time is not supposed.

Function consult handles when feed map hasn't been set.

address _feed = feeds[token];
if (_feed == address(0)) revert Errors.NoTokenPriceFeedAvailable();

But doesn't handle when maxDelays[token]; and maxDeviations[token]; are still default

Impact

The view function would misbehave (return inacurate value or revert unsupposedly)

Tools Used

Manual review

Recommendations

The implementations contained in the following functions should be called also at construction as initialization

  1. function addTokenMaxDelay()

  2. function addTokenMaxDeviation()

  3. function addTokenPriceFeed()

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Known issue
Obin Submitter
almost 2 years ago
hans Auditor
almost 2 years ago
hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.