Unlimited Backup Oracles and Duplicate Oracle Entries in UpdateWeightRunner
Summary
The setRuleForPool function allows an unlimited number of backup oracles to be configured and does not prevent duplicate oracle entries, which could lead to increased gas costs and potential DOS attacks during oracle updates.
Vulnerability Details
In the UpdateWeightRunner contract's setRuleForPool function, when validating oracle configurations, there is no limit on the number of backup oracles that can be added per token and no check for duplicate oracle addresses:
This means that:
A malicious or careless pool manager could add an excessive number of backup oracles
The same oracle address could be added multiple times as a backup
During oracle updates, the contract would need to iterate through all backup oracles, potentially consuming excessive gas and blocking weight updates. (Imagine a pool with 1000 backup oracles of all the same oracle)
Impact
Gas Grief whoever updates weights making ti so that I a malicious pool manager has more control over when pools get updated.
Potential DOS - The lack of limits on backup oracles and duplicate checks could lead to:
Excessive gas consumption during oracle updates
Potential DOS if too many backup oracles are added
Unnecessary storage costs
Inefficient oracle fallback process
Tools Used
Manual Review
Recommendations
Validate the number of backup oracles is less then a set max and check for duplicates.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.