Omniscia Euler Finance Audit
Governance Static Analysis Findings
Governance Static Analysis Findings
GOV-01S: Permission of Zero-Address Chainlink Feed
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | Governance.sol:L104 |
Description:
The setChainlinkPriceFeed permits a zero-address to be set for the chainlinkAggregator which goes against the assumptions of the system as the system assumes a non-zero chainlinkPriceFeedLookup will always be non-zero based on the Chainlink-specific check of setPricingConfig.
Impact:
As the system permits a pricing type of PRICINGTYPE__CHAINLINK to only be settable when chainlinkPriceFeedLookup is non-zero, this assumption can currently be broken and would lead to a misconfiguration of the system.
Example:
contracts/modules/Governance.sol
104function setChainlinkPriceFeed(address underlying, address chainlinkAggregator) external nonReentrant governorOnly {105 address eTokenAddr = underlyingLookup[underlying].eTokenAddress;106 require(eTokenAddr != address(0), "e/gov/underlying-not-activated");107
108 chainlinkPriceFeedLookup[underlying] = chainlinkAggregator;109
110 emit GovSetChainlinkPriceFeed(underlying, chainlinkAggregator);111}Recommendation:
We advise a require check to be introduced preventing the oracle from ever being set to zero as otherwise the system can misbehave.
Alleviation:
A zero-address check was properly introduced for the Chainlink Aggregator address thereby alleviating this exhibit.