Multihop Oracle Missing Redundant Oracles Sanitization Check: Vulnerability Causes Centralization Risk and Invert Manipulation
Summary
In the MultihopOracle contract, the constructor allows unsanitized oracles to be pushed into the multihopConfigs oracles array. This oversight can result in severe centralization risks and invert data manipulation, potentially leading to fund losses, market manipulation, and other issues.
Vulnerability Details
MultihopOracle::constructor
Impact
Centralization Risk
Multiple instances of the same oracle can lead to a single point of failure.Oracle Data Manipulation
Different opposite invert boolean settings for the same oracle could result in data corruption.Fund Losses
Misconfigured or manipulated data can lead to financial losses.Market Manipulation
Malicious actors could exploit vulnerabilities to manipulate markets.
Tools Used
Manual Review
Recommendations
Implement logic to detect and eliminate redundant identical oracle entries in the oracles array.
Suggested Solution
Below is a possible solution for the MultihopOracle constructor:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.