This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
WATCHPUG - Wrong Oracle feed addresses #817
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Comments
github-actions
bot
added
High
github-actions
bot
added
Has Duplicates
This was referenced Jun 23, 2023
Closed
Closed
This was referenced Jun 23, 2023
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
WATCHPUG
high
Wrong Oracle feed addresses
Summary
Wrong Oracle feed addresses will result in wrong prices.
Vulnerability Detail
StableOracleWBTC.sol#L17 the address is not the BTC/USD feed address.
StableOracleDAI.sol#L28,
DAIEthOracleis wrong.StableOracleDAI.sol#L30, address for
ethOracleis address zero (a hanging todo).StableOracleWBGL.sol#L19, the address for staticOracleUniV3 is wrong, the current one is actually the univ3 pool address.
Impact
Wrong prices for collateral assets.
Code Snippet
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L8-L28
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L23-L31
https://github.com/USSDofficial/ussd-contracts/blob/f44c726371f3152634bcf0a3e630802e39dec49c/contracts/oracles/StableOracleWBGL.sol#L17-L22
Tool used
Manual Review
Recommendation
Use correct addresses.
The text was updated successfully, but these errors were encountered: