Submission Details
Severity:
Impassibility of using the `UpliftOnlyExample` contract with pools where get data is not allowed
Summary
The UpliftOnlyExample contract uses IUpdateWeightRunner(_updateWeightRunner).getData(poolAddress) call which can cause revert in case the getData call for the pool is restricted. This makes it impossible to use the contract with such pools.
Vulnerability Details
UpdateWeightRunner
function getData(address _pool) public view virtual returns (int256[] memory outputData) {
return _getData(_pool, false);
}
/// @notice Get the data for a pool from the oracles and return it in the same order as the assets in the pool
/// @param _pool Pool to get data for
/// @param internalCall Internal call flag to detect if the function was called internally for emission and permissions
function _getData(address _pool, bool internalCall) private view returns (int256[] memory outputData) {
>> require(internalCall || (approvedPoolActions[_pool] & MASK_POOL_GET_DATA > 0), "Not allowed to get data");
Impact
Impassibility of using the UpliftOnlyExample contract with pools where get data is not allowed
Tools used
Manual Review
Recommendations
Consider implementing a separate check for getting data by the protocol's contracts.
Prize pool breakdown
Total prize
49,600 OP
nSLOC
3,00017 OP / LOC
44,640
4,960
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.