From cdc26552358c8621d4f1c7b897cb32abeb6cf1df Mon Sep 17 00:00:00 2001
From: bwafflef <optisman92@gmail.com>
Date: Thu, 18 May 2023 11:32:05 +0900
Subject: [PATCH] fix: issue#115 - BlueBerryBank#getpositionValue causes DOS if
 reward token is added that doesn't have an oracle

---
 contracts/BlueBerryBank.sol |  6 ++++--
 test/bank.test.ts           | 38 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/contracts/BlueBerryBank.sol b/contracts/BlueBerryBank.sol
index 35ab0566..819b4cc3 100644
--- a/contracts/BlueBerryBank.sol
+++ b/contracts/BlueBerryBank.sol
@@ -408,8 +408,10 @@ contract BlueBerryBank is
             (address[] memory tokens, uint256[] memory rewards) = IERC20Wrapper(
                 pos.collToken
             ).pendingRewards(pos.collId, pos.collateralSize);
-            for (uint256 i; i < tokens.length; i++) {
-                rewardsValue += oracle.getTokenValue(tokens[i], rewards[i]);
+            for (uint256 i; i < tokens.length; i++) {                
+                if (oracle.isTokenSupported(tokens[i])) {
+                    rewardsValue += oracle.getTokenValue(tokens[i], rewards[i]);
+                }
             }
 
             return collValue + rewardsValue;
diff --git a/test/bank.test.ts b/test/bank.test.ts
index a8f7c3cb..f264dcbc 100644
--- a/test/bank.test.ts
+++ b/test/bank.test.ts
@@ -913,7 +913,43 @@ describe('Bank', () => {
         await expect(
           bank.getCurrentPositionInfo()
         ).to.be.revertedWith("BAD_POSITION")
-      })
+      })            
+      it("should not reverted getPositionValue view function call when reward token oracle route is set wrongly", async () => {
+        const depositAmount = utils.parseUnits('100', 18);
+        const borrowAmount = utils.parseUnits('300', 6);
+        const iface = new ethers.utils.Interface(SpellABI);
+
+        await usdc.approve(bank.address, ethers.constants.MaxUint256);
+        await ichi.approve(bank.address, ethers.constants.MaxUint256);
+        await bank.execute(
+          0,
+          spell.address,
+          iface.encodeFunctionData("openPositionFarm", [{
+            strategyId: 0,
+            collToken: ICHI,
+            borrowToken: USDC,
+            collAmount: depositAmount,
+            borrowAmount: borrowAmount,
+            farmingPoolId: ICHI_VAULT_PID
+          }])
+        )
+
+        // set ICHI token oracle route wrongly
+        oracle.setRoutes(
+          [ICHI],
+          [ICHI]
+        );
+  
+        const positionId = (await bank.nextPositionId()).sub(1);
+        const positionValue = await bank.getPositionValue(positionId);
+        expect(positionValue).to.be.gte(BigNumber.from(0));
+  
+        // set ICHI token oracle route correctly
+        oracle.setRoutes(
+          [ICHI],
+          [mockOracle.address]
+        );
+      })    
     })
   })
 })
\ No newline at end of file