Skip to content
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.

mrpathfindr - Dangerous arbitrary timestamp parameters may lead to inaccurate results. #137

Closed
sherlock-admin opened this issue Jun 12, 2023 · 7 comments
Closed

mrpathfindr - Dangerous arbitrary timestamp parameters may lead to inaccurate results. #137

sherlock-admin opened this issue Jun 12, 2023 · 7 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

mrpathfindr

medium

Dangerous arbitrary timestamp parameters may lead to inaccurate results.

Summary

The functions putPrice and updatePrices controlled by the FEEDER_ROLE contain arbitrary timestamp values. These two functions are responsible for setting the current price or prices of an asset. As such the timestamp at which they are updates should be the current timestamp and nothing else.

Vulnerability Detail

Let us examine the function putPrice

    function putPrice(address asset, uint64 timestamp, uint256 price) public onlyRole(FEEDER_ROLE) {
        uint64 prev_timestamp = prices[asset].timestamp;
        uint256 prev_price = prices[asset].price;
        require(prev_timestamp < timestamp, "Outdated timestamp"); //@audit update the price to block.timestamp
        prices[asset] = IOracle.Price(asset, timestamp, prev_timestamp, price, prev_price);
        emit newPrice(asset, timestamp, price);
    }

The timestamp can be set to a time in the future, e.g (block.timestamp + 3 days ) which would be the incorrect putTimeStamp.

Impact

It is possible for the FEEDER to set a timestamp that is unrealistic or inaccurate rather than the correct timestamp.

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/XOracle.sol#L26-L46

Tool used

Manual Review

Recommendation

I recommend mitigating the potential for an incorrect timestamp being applied by setting the value to the current time at which the function is called. Like so:

  function putPrice(address asset, uint256 price) public onlyRole(FEEDER_ROLE) {
        uint64 prev_timestamp = prices[asset].timestamp;
        uint256 prev_price = prices[asset].price;

        prices[asset] = IOracle.Price(asset, block.timeStamp, prev_timestamp, price, prev_price);
        emit newPrice(asset, timestamp, price);
    }

Additionally. with this implementation, there will be no need for this statement require(prev_timestamp < block.timeStamp, "Outdated timestamp"); as block.timeStamp will always be greater than prev_timestamp `
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jun 19, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Jun 22, 2023
@mrpathfindr
Copy link

Escalate for 10 USDC
This should be a valid medium as it is not the expected behaviour for time at which the price for an asset has been updated to be an arbitrary value that could be any value in the future.

The put price should be block.timeStamp. The FEEDER should not be able to manipulate the timestamp.

This block of code require(prev_timestamp < timestamp, "Outdated timestamp"); is completely redundant.

The current implementation leaves the protocol exposed to timestamp manipulation that can be easily avoided if at the time putPrice is called by the feeder, timestamp in IOracle.Price is set to block.timeStamp

Impact: Let's say there are multiple feeder for each stable currency, one feeder updates the put price to 10 years in the future, a subsequent feeder will have to update the price to a time above 10 years. An obvious issue for the protocol.

@sherlock-admin
Copy link
Contributor Author

Escalate for 10 USDC
This should be a valid medium as it is not the expected behaviour for time at which the price for an asset has been updated to be an arbitrary value that could be any value in the future.

The put price should be block.timeStamp. The FEEDER should not be able to manipulate the timestamp.

This block of code require(prev_timestamp < timestamp, "Outdated timestamp"); is completely redundant.

The current implementation leaves the protocol exposed to timestamp manipulation that can be easily avoided if at the time putPrice is called by the feeder, timestamp in IOracle.Price is set to block.timeStamp

Impact: Let's say there are multiple feeder for each stable currency, one feeder updates the put price to 10 years in the future, a subsequent feeder will have to update the price to a time above 10 years. An obvious issue for the protocol.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Jun 22, 2023
@ctf-sec
Copy link
Collaborator

ctf-sec commented Jun 23, 2023

admin input issue is not valid

@0xruhum
Copy link

0xruhum commented Jun 24, 2023

protocol doesn't really care about the timestamp anyways. It always gets the most recent entry

@jacksanford1
Copy link

Should remain invalid due to the assumption that an admin will make a mistake:

It is possible for the FEEDER to set a timestamp that is unrealistic or inaccurate rather than the correct timestamp.

@jacksanford1 jacksanford1 added Escalation Resolved This issue's escalations have been approved/rejected Escalated This issue contains a pending escalation and removed Escalated This issue contains a pending escalation Escalation Resolved This issue's escalations have been approved/rejected labels Jul 5, 2023
@hrishibhat
Copy link

Result:
Low
Unique

@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected and removed Escalated This issue contains a pending escalation labels Jul 6, 2023
@sherlock-admin
Copy link
Contributor Author

Escalations have been resolved successfully!

Escalation status:

@sherlock-audit sherlock-audit deleted a comment from jacksanford1 Jul 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@hrishibhat @jacksanford1 @0xruhum @sherlock-admin @ctf-sec @mrpathfindr