DeFiHardhatFoundry
250,000 USDC
View results
Submission Details
Severity: low
Invalid

`LibWhitelist.verifyOracleImplementation()` incorrectly verifies custom oracle implementation

Summary

It verifies oracle address and selector by performing staticCall():

function verifyOracleImplementation(
address oracleImplementation,
bytes4 selector,
bytes1 encodeType
) internal view {
bool success;
// if the encode type is 0x01, verify using the chainlink implementation.
if (encodeType == bytes1(0x01)) {
(success, ) = oracleImplementation.staticcall(
abi.encodeWithSelector(IChainlinkAggregator.decimals.selector)
);
} else if (encodeType == bytes1(0x02)) {
// 0x0dfe1681 == token0() for uniswap pools.
(success, ) = oracleImplementation.staticcall(abi.encodeWithSelector(0x0dfe1681));
} else {
// verify you passed in a callable oracle selector
@> (success, ) = oracleImplementation.staticcall(abi.encodeWithSelector(selector, 0));
}
require(success, "Whitelist: Invalid Oracle Implementation");
}

However this check is not consistent with actual LibUsdOracle logic. Because address(0) is special value which is replaced with address(this:
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/libraries/Oracle/LibUsdOracle.sol#L163-L174

function getTokenPriceFromExternal(
address token,
uint256 lookback
) internal view returns (uint256 tokenPrice) {
...
// If the oracle implementation address is not set, use the current contract.
address target = oracleImpl.target;
@> if (target == address(0)) target = address(this);
(bool success, bytes memory data) = target.staticcall(
abi.encodeWithSelector(oracleImpl.selector, lookback)
);
if (!success) return 0;
assembly {
tokenPrice := mload(add(data, add(0x20, 0)))
}
}

Impact

Custom oracle selector is incorrectly validated. As a result it won't catch incorrect selector.

Tools Used

Manual Review

Recommendations

} else {
+ if (oracleImplementation == address(0)) oracleImplementation = address(this);
// verify you passed in a callable oracle selector
(success, ) = oracleImplementation.staticcall(abi.encodeWithSelector(selector, 0));
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Appeal created

T1MOH Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.