Root + Impact
Protocol functions depending on price information can unexpectedly revert if a token has not yet been assigned a pool or if the pool has been removed.
Description
In the https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L19 function, The oracle performs:
https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L20
https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L21
There is no validation that swapPool is not zero address, If the factory returns the zero address. ITSwapPool(address(0))is invoked then any external call to the zero address returns no code, causing decoding of the expected return value to revert.
Every function depending upon:
https://github.com/CodeHawks-Contests/ai-thunder-loan/blob/035f6dc903d7ac12c4ccf6d267a09810d3d64ef8/src/protocol/OracleUpgradeable.sol#L19 will therefore revert unexpectedly.
Affected functionality includes:
flash loans
deposits
fee calculations
Risk
Likelihood:
Medium.
This depends on protocol configuration.
Misconfiguration during deployment or governance changes is sufficient to trigger the issue
Impact:
creates an unnecessary denial-of-service condition for otherwise valid protocol operations.
Proof of Concept
Suppose
Factory.getPool(token)
↓
address(0)
Then
ITSwapPool(address(0))
.getPriceOfOnePoolTokenInWeth();
attempts an external call to an address with no contract code.
ABI decoding fails because no return data exists.
Every caller of
getCalculatedFee()
reverts.
Consequently
deposit()
flashloan()
become unusable for that asset.
Recommended Mitigation
Validate the returned pool before querying it.
require(pool != address(0), "Pool not found");+ add this code