Potential Duplicate Oracles
Summary
The constructor does not check for duplicate entries in the _oracles array
Vulnerability Details
The constructor for the contract directly accepts the _oracles array and pushes its entries into the _oracles storage array without checking for duplicates. This allows for scenarios where the same oracle address appears multiple times in the array. Since the system uses the oracles array in calculations (e.g. in _getData), duplicates can lead to redundant processing, unnecessary gas consumption, and potential logic errors.
Impact
Unnecessary Gas Usage:
Duplicate oracles in the
oraclesarray cause redundant calculations during execution, such as in_getData().Redundant oracle configurations may lead to unnecessary gas usage and duplicate calculations.
Redundant or Incorrect Aggregations:
If the same oracle is processed multiple times during data aggregation, the results may be distorted or unnecessarily duplicated.
For example:The
timestampaggregation could be incorrect (e.g. the same timestamp could be chosen multiple times.)The
datacalculation may unnecessarily involve duplicate multiplications or divisions.
Tools Used
Manual review
Recommendations
Add logic to ensure each oracle is unique like a
Mapping-Based Duplicate Detection (Efficient Approach)
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.