QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Only the last 'pair' price will be returned while using `multiHopOracle.sol`

web3tycoon

Summary
In `MultiHopOracle.sol` in the function `_getData` price of a pair is gotten through looping `oracles` checking price of the pair then returning the data and timestamp. But the issue arises on how `return` is used. Lets say we have 2 pairs to check price. and during construction we passed the two pairs. so when `_getData` is called we are supposed to receive two price of the corresponding pair. but we shall receive only one. this is because how solidity works under the hood. return can only be used once. in function calling. thus it will return only the price of the last pair in the array of oracles

Vulnerability Details

place the test in MultiHopOracle.t.sol

function testReturnsAllOracles() public {

// the price assumed to be returned in the first oracle.

int216 fixedValue1 = 2000;

// the price assummed to be returned in the second oracle.

int216 fixedValue2 = 0.001e18;

uint delay1 = 3600;

uint delay2 = 3600;

bool[] memory invert = new bool[]();

invert[0] = false;

invert[1] = false;

chainlinkOracle1 = new MockChainlinkOracle(fixedValue1, delay1);

chainlinkOracle2 = new MockChainlinkOracle(fixedValue2, delay2);

address[] memory oracles = new address[]();

oracles[0] = address(chainlinkOracle1);

oracles[1] = address(chainlinkOracle2);

bool[] memory invertFlags = new bool[]();

invertFlags[0] = invert[0];

invertFlags[1] = invert[1];

//we set oracles here.

MultiHopOracle.HopConfig[] memory hops = new MultiHopOracle.HopConfig[]();

hops[0] = MultiHopOracle.HopConfig({ oracle: OracleWrapper(address(chainlinkOracle1)), invert: invert[0] });

hops[1] = MultiHopOracle.HopConfig({ oracle: OracleWrapper(address(chainlinkOracle2)), invert: invert[1] });

multiHopOracle = new MultiHopOracle(hops);

vm.warp(block.timestamp + 3600);

// the data expected to be returned from the first oracle is 2000, and second oracle is 0.001e18

// but we only get the last digit to be returned which is 1.

(int216 data, ) = multiHopOracle.getData();

assertEq(data, 1);

//this is an issue for calling getData in multiHopOracle contract will always return the last pair price in the array.

}

we see when calling getData() we shall only receive the last pair price in the test.

Impact

Possibilility of wrong price to be returned leading, to wrong calculation of weights.

Tools Used

foundry

Recommendations

refactor the code to use a mapping where we can pass a pair . and the oracle returns the price.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

web3tycoon Submitter

10 months ago

n0kto Lead Judge

9 months ago

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.