First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Oracle call is not handled properly

damoklov

Summary

Oracles can be unreachable, therefore it is better to expect such errors when calling them.
Also, it is a good practice to set some limits to the values retrieved from the Oracles.

Vulnerability Details

Not wrapping calls to Oracles in try/catch blocks can lead to code failures and other malicious behavior.

Impact

Execution failure or price manipulation.

Tools Used

Manual code analysis.

Recommendations

To handle potential DoS cases when the Oracle is unreachable or an error occurs during the call to getPriceInWeth, we can wrap the call to this function in a try/catch block. If the Oracle call fails, the catch block can handle the error gracefully.
Additionally, to mitigate an on-chain Oracle attack (price manipulation), we may also check that minPrice < receivedPrice < maxPrice.

function getCalculatedFee(IERC20 token, uint256 amount) public view returns (uint256 fee) {
uint256 tokenPrice;
try this.getPriceInWeth(address(token)) returns (uint256 price) {
tokenPrice = price;
} catch Error(string memory) {
// Handle the error as needed, e.g., set tokenPrice to a default value or log the error.
revert(); // or set tokenPrice = N if applicable.
}
- uint256 valueOfBorrowedToken = (amount * getPriceInWeth(address(token))) / s_feePrecision;
+ uint256 valueOfBorrowedToken = (amount * tokenPrice) / s_feePrecision;
fee = (valueOfBorrowedToken * s_flashLoanFee) / s_feePrecision;
}
Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.