Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: low
Likelihood: low

Oracle Asset Registration Lacks Existence Validation

Author Revealed upon completion

Root + Impact

Description

  • The protocol assumes that assets queried from the oracle have been explicitly registered with a valid price. However, the oracle does not differentiate between an unregistered asset and a registered asset with a legitimate price, silently returning a default value instead.

  • This behavior makes configuration errors difficult to detect and can cause downstream logic to operate on invalid pricing assumptions without reverting, reducing system robustness.

// Root cause in the codebase with @> marks to highlight the relevant section
// @> No validation that asset has been registered
function getPrice(address asset) external view returns (uint256) {
return prices[asset];
}

Risk

Likelihood:

  • Occurs during asset onboarding or integration of new markets.

Triggered by misconfiguration or incorrect asset address usage.

Impact:

  • Assets may be treated as having a zero price unintentionally.

Protocol logic may behave incorrectly without clear error signaling.

Proof of Concept

// Asset never registered
uint256 price = oracle.getPrice(unregisteredAsset);
// price == 0, indistinguishable from valid input

Recommended Mitigation

  • Explicitly track asset registration and revert on invalid queries.

- remove this code
+ add this code
mapping(address => uint256) public prices;
+mapping(address => bool) public isRegistered;
function setPrice(address asset, uint256 price) external onlyOwner {
+ isRegistered[asset] = true;
prices[asset] = price;
}
function getPrice(address asset) external view returns (uint256) {
+ require(isRegistered[asset], "Asset not registered");
return prices[asset];
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!