Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Allowing Zero Address for Oracle Actor Can Disrupt House Prices for `RAACHousePrices` Contract

vicjuma945

Summary

Having no checks to determine if an oracle is set to a zero address is not recommended. In the RAACHousePrices::setOracle, you should add various checks for extra security. Check that the address is not zero and that the oracle cannot be a malicious actor through interface implementation checks. Having different oracle addresses will affect the functioning of the contract.

Vulnerability Details

function setOracle(address _oracle) external onlyOwner {

oracle = _oracle;

}

Impact

Break the functionality of the protocol
add a folder test to path contracts/core/primitives/ with the following

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import { Test } from '../../../../dependencies/forge-std-1.9.6/src/Test.sol';

import {console} from '../../../../dependencies/forge-std-1.9.6/src/console.sol';

import { RAACHousePrices } from '../RAACHousePrices.sol';

contract FakeDeployer {}

contract TestRAACToken is Test {

RAACHousePrices public rAACHousePrices;

FakeDeployer fakeDeployer;

address public owner;

function setUp() public {

fakeDeployer = new FakeDeployer();

owner = address(fakeDeployer);

rAACHousePrices = new RAACHousePrices(owner);

fakeDeployer = new FakeDeployer();

}

function test_SetOracleToZeroSuccess() external {

address newOracle = address(0);

vm.prank(owner);

rAACHousePrices.setOracle(newOracle);

address actualOracle = rAACHousePrices.oracle();

assertEq(newOracle, actualOracle);

}

Convert the project to a foundry project

npm i --save-dev @nomicfoundation/hardhat-foundry- Install the hardhat-foundry plugin.
to the top of your hardhat.config.js file.
un npx hardhat init-foundry in your terminal. This will generate a foundry.toml file based on your Hardhat project’s existing configuration, and will install the forge-std library.
Run forge test --mt test_SetOracleToZeroSuccess -vvv

Results

(base) vik@vik:~/projects/auditing/2025-02-raac$ forge test --mt test_SetOracleToZeroSuccess -vvv

[⠒] Compiling...

[⠑] Compiling 1 files with Solc 0.8.28

[⠘] Solc 0.8.28 finished in 2.48s

Compiler run successful!

Ran 1 test for contracts/core/primitives/test/RAACHousePrices.t.sol:TestRAACToken

[PASS] test_SetOracleToZeroSuccess() (gas: 16286)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.34ms (376.21µs CPU time)

Ran 1 test suite in 36.91ms (2.34ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Tools Used

Foundry and Soldeer

Recommendations

Add various checks

function setOracle(address _oracle) external onlyOwner {

+ require(_oracle != address(0))

+ require(_oracle.code.length != 0)

oracle = _oracle;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.