Submission Details
Severity:
Function `StabilityBranch#fulfillSwap()` always revert because these is no way to pay fee to verify report
Vulnerability Details
In the function fulfillSwap(), itt will verify price before execute swapping:
// get price from report in 18 dec
ctx.priceX18 = stabilityConfiguration.verifyOffchainPrice(priceData);
It will call to verifyReport() function to verify report
function verifyOffchainPrice(Data storage self, bytes memory priceData) internal returns (UD60x18 priceX18) {
bytes memory reportData = ChainlinkUtil.getReportData(priceData);
IVerifierProxy chainlinkVerifier = self.chainlinkVerifier;
(FeeAsset memory fee) = ChainlinkUtil.getEthVericationFee(chainlinkVerifier, reportData);
bytes memory verifiedPricetData = ChainlinkUtil.verifyReport(chainlinkVerifier, fee, priceData); // <--
PremiumReport memory premiumReport = abi.decode(verifiedPricetData, (PremiumReport));
if (block.timestamp > premiumReport.validFromTimestamp + self.maxVerificationDelay) {
revert Errors.DataStreamReportExpired();
}
priceX18 = ud60x18(int256(premiumReport.price).toUint256());
}
That will transfer eth to chainlinkVerifier contract to pay for fee and verify
function verifyReport(
IVerifierProxy chainlinkVerifier,
FeeAsset memory fee,
bytes memory signedReport
)
internal
returns (bytes memory verifiedReportData)
{
verifiedReportData = chainlinkVerifier.verify{ value: fee.amount }(signedReport, abi.encode(fee.assetAddress)); // <--
}
But problem is, there is no way to transfer eth to StabilityBranchcontract, and it do not have payable modifier in the function, lead to function always revert
Impact
Unable to fulfill swap
Recommendations
Add mechanism to make sure the function can pay for fee to verify price
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.