Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: low
Likelihood: low

Oracle Price Domain Not Validated Enables Invalid Zero or Extreme Values

Author Revealed upon completion

Root + Impact

Description

  • Price feeds are expected to return values within a sane domain.

The oracle accepts zero or extreme values without validation, which can break downstream calculations.

// Root cause in the codebase with @> marks to highlight the relevant section
// StrataxOracle.sol
// @> No bounds check on price
prices[asset] = price;

Risk

Likelihood:

  • Occurs due to misconfiguration or operational mistakes.

Can be triggered during maintenance or testing.

Impact:

  • Division-by-zero risks or extreme valuation distortions.

Protocol operations may revert or behave unexpectedly.

Proof of Concept

oracle.setPrice(asset, 0);
deposit(); // downstream math fails or misprices

Recommended Mitigation

- remove this code
+ add this code
+ require(price > 0 && price < MAX_PRICE, "Invalid price");

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!