This repository has been archived by the owner on Dec 10, 2023. It is now read-only.
Chinmay - An Oracle Signer can never be removed even if he becomes malicious #205
Labels
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Chinmay
high
An Oracle Signer can never be removed even if he becomes malicious
Summary
The call flow of removeOracleSIgner incorrectly compares the hash of ("removeOracleSigner", account) with the hash of ("addOracleSigner", account) for validating that an action is actually initiated. This validation always fails because the hashes can never match.
Vulnerability Detail
The process of removing oracle signers is 2 stage. First function
signalRemoveOracleSigner
is called by the TimelockAdmin which stores a time-delayed timestamp corresponding to the keccak256 hash of ("removeOracleSigner", account) - a bytes32 value called actionKey in the pendingActions mapping.Then the Admin needs to call function
removeOracleSignerAfterSignal
but this function calls_addOracleSignerActionKey
instead of_removeOracleSignerActionKey
for calculating the bytes32 action key value. Now the actionKey is calculated as keccak256 hash of ("addOracleSigner", account) and this hash is used for checking if this action is actually pending by ensuring its timestamp is not zero inside the_validateAction
function called via_validateAndClearAction
function at Line 122. The hash of ("removeOracleSigner", account) can never match hash of ("addOracleSigner", account) and thus this validation will fail.Impact
The process of removing an Oracle Signer will always revert and this breaks an important safety measure if a certain oracle signer becomes malicious the TimelockAdmin could do nothing(these functions are meant for this). Hence, important functionality is permanently broken.
Code Snippet
https://github.com/sherlock-audit/2023-04-gmx/blob/06ccd8c7ee4cadc46e3ac412dcf141eefdced42f/gmx-synthetics/contracts/config/Timelock.sol#L117
Tool used
Manual Review
Recommendation
Replace the call to _addOracleSignerActionKey at Line 118 by call to _removeOracleSignerActionKey
The text was updated successfully, but these errors were encountered: