Thunder Loan

AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Submission Details
Impact: medium
Likelihood: medium
Invalid

Oracle Does Not Validate Pool Existence

Root + Impact

Protocol functions depending on price information can unexpectedly revert if a token has not yet been assigned a pool or if the pool has been removed.

Description

In the https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L19 function, The oracle performs:
https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L20
https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L21
There is no validation that swapPool is not zero address, If the factory returns the zero address. ITSwapPool(address(0))is invoked then any external call to the zero address returns no code, causing decoding of the expected return value to revert.
Every function depending upon:
https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L19 will therefore revert unexpectedly.
Affected functionality includes:
flash loans
deposits
fee calculations
// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Medium.
This depends on protocol configuration.
Misconfiguration during deployment or governance changes is sufficient to trigger the issue

Impact:

creates an unnecessary denial-of-service condition for otherwise valid protocol operations.

Proof of Concept

Suppose
Factory.getPool(token)
address(0)
Then
ITSwapPool(address(0))
.getPriceOfOnePoolTokenInWeth();
attempts an external call to an address with no contract code.
ABI decoding fails because no return data exists.
Every caller of
getCalculatedFee()
reverts.
Consequently
deposit()
flashloan()
become unusable for that asset.

Recommended Mitigation

Validate the returned pool before querying it.
require(pool != address(0), "Pool not found");+ add this code
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!