Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Oracle Data Validation Missing

ibukunola

Summary

The _processResponse function sets lastPrimeRate without bounds checking, allowing extreme rates to propagate to LendingPool. This high-impact, medium-likelihood vulnerability could inflate borrowing costs or trigger unfair liquidations, bypassing LendingPool’s 5% change limit over time through repeated updates.

Vulnerability Details

The function accepts any uint256 rate from the oracle without validation. Example:

Oracle raises rate from 1e18 to 100e18 (100%) over 60 calls (5% increments, max 1.05e18 each).
LendingPool applies 100e18 to $10M in loans (10M crvUSD).
Health factors drop (e.g., 1.5e18 to 0.75e18), liquidating 5M crvUSD in collateral.
Attacker profits 5M crvUSD from discounted assets.

Impact

The protocol risks significant losses (e.g., 5M crvUSD per exploit), a high-impact issue from distorted rates affecting loan health. The medium likelihood stems from gradual manipulation being feasible with a compromised oracle, threatening financial integrity.

Tools Used

Manual Code Review: To verify missing bounds in _processResponse.

Recommendations

Add bounds validation:

function _processResponse(bytes memory response) internal override {
uint256 newRate = abi.decode(response, (uint256));
require(newRate >= 1e18 && newRate <= 100e18, "Prime rate out of bounds"); // 1% to 100% in RAY
lastPrimeRate = newRate;
lastUpdateTimestamp = block.timestamp;
lendingPool.setPrimeRate(newRate);
emit PrimeRateUpdated(newRate);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.