Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Validation for Empty/Incomplete Data and Missing Sanity Checks on Oracle Responses

kevinkkien

Summary

The smart contract’s response handling logic does not verify whether the data received from the oracle is non-empty or complete before attempting to decode it. Additionally, the decoded value (e.g., prime rate) is accepted without performing any sanity checks to ensure it falls within expected bounds. This lack of input validation may lead to erroneous state updates or cause the contract to revert unexpectedly when processing malformed or malicious oracle responses.

Vulnerability Details

Empty/Incomplete Data Handling:
In the function _processResponse, the oracle response is directly decoded using abi.decode(response, (uint256)) without checking if response contains data or meets the expected length. If the response is empty or incomplete, the decoding operation may fail, causing the contract to revert.

Missing Sanity Checks:
Once the data is decoded into a value (e.g., lastPrimeRate), no validation is performed to confirm that the value is reasonable (for example, ensuring the rate is greater than zero or within a predetermined range). This may allow an attacker or a faulty oracle to supply an out-of-bound or manipulated value, leading to potentially harmful behavior in downstream contracts that rely on this value (such as a lending pool).

Impact

Malformed or empty data from the oracle will cause abi.decode to revert, potentially resulting in denial-of-service (DoS) if the oracle fails or is compromised.
Without sanity checks, an incorrect prime rate (or similar critical value) may be stored and propagated, leading to inaccurate calculations in financial contracts such as lending pools. This can result in financial losses or market manipulation.

Tools Used

Manual

Recommendations

Before decoding the response, check that the response byte array is not empty and meets the minimum length requirements expected for the data type (e.g., uint256).

require(response.length >= expectedLength, "Invalid response: insufficient data");

After decoding the oracle response, add validation logic to verify that the value is within an acceptable range. For example, ensure that the prime rate is positive and within a realistic upper bound.

uint256 decodedValue = abi.decode(response, (uint256));

require(decodedValue > 0 && decodedValue < MAX_ACCEPTABLE_PRIME_RATE, "Invalid prime rate value");

lastPrimeRate = decodedValue;

lendingPool.setPrimeRate(lastPrimeRate);

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[INVALID] API response validation

We need to assume that the trusted admin is able to properly configure the API that will provide values. As long as the response isn't empty (and there's a check for that) then anything else relies on the accuracy of the data the API provides.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.