This repository has been archived by the owner on Jan 7, 2024. It is now read-only.
Bauchibred - Pricing on liquidations can still be bogus #239
Labels
Non-Reward
This issue will not receive a payout
Bauchibred
medium
Pricing on liquidations can still be bogus
Summary
This was originally submitted by hyh in the V1 contest, found here, issue was submitted, the mitigation applied doesn't still does not solve this as the check was applied to the price immediately returned from
latestRoundData
but Hubble deals in 6 decimals and ifanswer < 100
the division at L35
answer /= 100;
sidesteps the non-positive check at L34, i.e in this scenario the submitted issue is not really mitigated againstNB: A similar case can also be made for
formatPrice()
, and the getUnderLyingPrice function is extensively used in:AMM.sol, orderbook.sol, IF.sol...
all within Hubble.Vulnerability Detail
See summary, and then take a look at Oracle.sol#L24-L36
Check the
@audit
tag, whereas one could argue that for this to happen price has already gone very low and in the case of the index/mark ideology it doesn't count since index price < 100 (in 8 decimals) will probably mean 0 in 6 decimals. All other instances of implementinggetUnderlyingPrice()
would be affected, be it the liquidations or implementations inInsuranceFund.sol
orclearingHouse.sol
...Note that this can easily allow a liquidation at a non-market price that happen to not even be printed in the Oracle feed, for more insights, since other erc20 are going to be added to, A flash crash could happen to any of the future erc20 to be integrated, it easily means that users could easily be liquidated at a value, where they shouldn't be liquidatable.
Hypothetical POC
2-99x
more than the needed healthy levelImpact
Same as previous report, but even worse since in this case attacker doesn't even need to wait for a price outbreak but rather when it's just less than 100
Code Snippet
Oracle.sol#L24-L36
Tool used
Recommendation
This all stems from incorrectly checking for non-positive prices, so this should be fixed, i.e amount should be checked to be above it's denominator
Duplicate of #99
The text was updated successfully, but these errors were encountered: