Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

bin2chen - update() wrong privilege control #121

Open
sherlock-admin opened this issue Aug 15, 2023 · 3 comments
Open

bin2chen - update() wrong privilege control #121

sherlock-admin opened this issue Aug 15, 2023 · 3 comments
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 15, 2023
edited by sherlock-admin2
Loading

bin2chen

medium

update() wrong privilege control

Summary

oracle.update() wrong privilege control
lead to OracleFactory.update() unable to add oracleProvider

Vulnerability Detail

in OracleFactory.update() will call oracle.update()

contract OracleFactory is IOracleFactory, Factory {
...
    function update(bytes32 id, IOracleProviderFactory factory) external onlyOwner {
        if (!factories[factory]) revert OracleFactoryNotRegisteredError();
        if (oracles[id] == IOracleProvider(address(0))) revert OracleFactoryNotCreatedError();

        IOracleProvider oracleProvider = factory.oracles(id);
        if (oracleProvider == IOracleProvider(address(0))) revert OracleFactoryInvalidIdError();

        IOracle oracle = IOracle(address(oracles[id]));
@>      oracle.update(oracleProvider);
    }

But oracle.update() permission is needed for OracleFactory.owner() and not OracleFactory itself.

@>  function update(IOracleProvider newProvider) external onlyOwner {
        _updateCurrent(newProvider);
        _updateLatest(newProvider.latest());
    }

    modifier onlyOwner {
@>      if (msg.sender != factory().owner()) revert InstanceNotOwnerError(msg.sender);
        _;
    }

This results in OracleFactory not being able to do update().
Suggest changing the limit of oracle.update() to factory().

Impact

OracleFactory.update() unable to add IOracleProvider

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/OracleFactory.sol#L81

Tool used

Manual Review

Recommendation

contract Oracle is IOracle, Instance {
...

-   function update(IOracleProvider newProvider) external onlyOwner {
+   function update(IOracleProvider newProvider) external {
+       require(msg.sender == factory(),"invalid sender");
        _updateCurrent(newProvider);
        _updateLatest(newProvider.latest());
    }
@github-actions github-actions bot added the Medium A valid Medium severity issue label Aug 18, 2023
@sherlock-admin
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

141345 commented:

m

@arjun-io arjun-io added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Aug 18, 2023
@sherlock-admin2 sherlock-admin2 changed the title Savory Laurel Gazelle - update() wrong privilege control bin2chen - update() wrong privilege control Aug 23, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 23, 2023
@arjun-io arjun-io mentioned this issue Aug 25, 2023
Merged
@arjun-io
Copy link

Fixed: equilibria-xyz/perennial-v2#81

@MLON33
Copy link

MLON33 commented Sep 14, 2023

From WatchPug,

Fixed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arjun-io @sherlock-admin @MLON33 @sherlock-admin2