Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rilwan99 - Users can pass in malicious oracle addresses during createLendOrder() and createBorrowOrder() #998

Open
sherlock-admin2 opened this issue Nov 25, 2024 · 0 comments
Open

rilwan99 - Users can pass in malicious oracle addresses during createLendOrder() and createBorrowOrder() #998

sherlock-admin2 opened this issue Nov 25, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Nov 25, 2024
edited by sherlock-admin3
Loading

rilwan99

Medium

Users can pass in malicious oracle addresses during createLendOrder() and createBorrowOrder()

Summary

In debita V3, the protocol supports functionality for users to create lend offers and borrow offers and specify oracle addresses to retrieve the price of collateral/principle tokens instead of just defaulting to a fixed ratio (number of collateral tokens worth per principle token, vice-versa).

The protocol provides various oracle contracts such as DebitaChainLink, DebitaPyth and MixOracle. It is intended for users to provide the address of these oracle contracts during createLendOffer() and createBorrowOffer().

However, there is a lack of validation checks on the addresses provided as oracles. This means that users can use any arbitrary contract as the oracle and still create their lend/ borrow offer, proceed to have their orders matched, etc.

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaBorrowOffer-Factory.sol#L75-L88

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaLendOfferFactory.sol#L124-L138

Root Cause

Due to a lack of validation on the addresses provided, users can pass in malicious oracles to inflate the value of their collateral/ principle tokens.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. user creates a borrow order and provides a malicious oracle address as address _oracleID_Collateral
    https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaBorrowOffer-Factory.sol#L86
  2. In matchOffersV3(), this malicious oracle is used to inflate the value of collateral provided by the borrower
    https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaV3Aggregator.sol#L308-L310

Impact

No response

PoC

No response

Mitigation

No response
@sherlock-admin3 sherlock-admin3 changed the title Smooth Butter Worm - Users can pass in malicious oracle addresses during createLendOrder() and createBorrowOrder() rilwan99 - Users can pass in malicious oracle addresses during createLendOrder() and createBorrowOrder() Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2