Submission Details
Severity:
Oracle Request Overwriting
Summary
Both oraclePurchaseRequest() and oracleStateRequest() allow overwriting existing requests.
Vulnerability Details
function oracleStateRequest(bytes calldata _input, bytes calldata _models) external onlyAuthorized {
// check that we are in the Withdraw phase, and return round
(uint256 round,) = _checkRoundPhase(Phase.Withdraw);
oracleStateRequests[round] =
swan.coordinator().request(SwanBuyerStateOracleProtocol, _input, _models, swan.getOracleParameters());
}
function oraclePurchaseRequest(bytes calldata _input, bytes calldata _models) external onlyAuthorized {
// check that we are in the Buy phase, and return round
(uint256 round,) = _checkRoundPhase(Phase.Buy);
oraclePurchaseRequests[round] =
swan.coordinator().request(SwanBuyerPurchaseOracleProtocol, _input, _models, swan.getOracleParameters());
}
No check if a request already exists for the round. Owner and operator can overwrite each other's requests. Potential loss of oracle fees if previous request wasn't processed. Malicious operator could override legitimate requests
Impact
loss of oracle fees if previous request wasn't processed.
Tools Used
Manual Review
Recommendations
// Add protection against overwriting
if (oraclePurchaseRequests[round] != 0) {
revert ExistingRequest(round);
}
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.