Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`ChainlinkARBOracle` contract : malicious/corrupted token price feed can't be updated

0xhals

Summary

ChainlinkARBOracle contract : malicious/corrupted token price feed can't be updated

Vulnerability Details

  • The ChainlinkARBOracle.addTokenPriceFeed function is intended to add a price feed for tokens, and this function can be called only once for any token to add its price feed; and once the token price feed is set it can never be changed:

    if (feeds[token] != address(0))
    revert Errors.TokenPriceFeedAlreadySet();

  • But if the price feeds of some tokens start to act malicioucly or became corrupted; there's no way for the contract owner to update these feeds.

Impact

This will disable the oracle for these tokens as the results retuned from the corrupted price feeds are unreliable/invalid.

Proof of Concept

ChainlinkARBOracle.addTokenPriceFeed function

function addTokenPriceFeed(address token, address feed) external onlyOwner {
if (token == address(0)) revert Errors.ZeroAddressNotAllowed();
if (feed == address(0)) revert Errors.ZeroAddressNotAllowed();
if (feeds[token] != address(0)) revert Errors.TokenPriceFeedAlreadySet();
feeds[token] = feed;
}

Tools Used

Manual Review.

Recommendations

Modify ChainlinkARBOracle.addTokenPriceFeed function to allow for price feeds updates:

function addTokenPriceFeed(address token, address feed) external onlyOwner {
if (token == address(0)) revert Errors.ZeroAddressNotAllowed();
if (feed == address(0)) revert Errors.ZeroAddressNotAllowed();
- if (feeds[token] != address(0)) revert Errors.TokenPriceFeedAlreadySet();
feeds[token] = feed;
}
Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink price feed can not be updated

Impact: High Likelihood: Low

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.