QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

MultiHopOracle Ignores Whitelisted Oracle Validation, Using Removed Oracles

ace_30

Summary

When a previously trusted oracle is removed from the whitelist of approved oracles by the quantammAdmin in the updateWeighRunner.sol contract, the MultiHopOracle contract continues to use this blacklisted oracle during its data-fetching operations. This behavior contradicts the intended functionality of excluding unapproved oracles from protocol operations.

Vulnerability Details

A MultiHopOracle for ETH-BTC is deployed and configured using two whitelisted trusted oracles:

• ETH-USD

• BTC-USD
The quantammAdmin decides to remove the BTC-USD oracle from the list of approved oracles by calling the removeOracle function in UpdateWeightRunner.sol. link
The _getOracleData function in the main protocol checks the whitelist before fetching data and skips the removed oracle:

/// @notice Call oracle to retrieve new data
/// @param _oracle the target oracle
function _getOracleData(OracleWrapper _oracle) private view returns (OracleData memory oracleResult) {
if (!approvedOracles[address(_oracle)]) return oracleResult; // Return empty timestamp if oracle is no longer approved, result will be discarded
(int216 data, uint40 timestamp) = _oracle.getData();
oracleResult.data = data;
oracleResult.timestamp = timestamp;
}
When fetching data, the BTC-ETH MultiHopOracle, it does not check whether the oracles are still approved. It continues to query the removed BTC-USD oracle, which results in incorrect or potentially malicious data being fetched and used:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/MultiHopOracle.sol#L39
This leads to the use of blacklisted oracles in MultiHopOracle, which can result in incorrect or malicious data affecting protocol operations.

Impact

Faulty or malicious oracles may remain functional within the MultiHopOracle, potentially providing incorrect or manipulated data.

Tools Used

vscode

Recommendations

Implement a whitelist validation check in the MultiHopOracle contract to ensure only approved oracles are used. For example:

if (!approvedOracles[address(oracleConfig.oracle)]) {continue; // Skip blacklisted oracle}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

invalid_immutable_oracles/variables

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!