Omniscia Euler Finance Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in Euler Finance's EVK-compatible oracle system.
As the project at hand implements multiple oracle integrations interfaced via a router, intricate care was put into ensuring that the call flows within the system conform to the specifications and restrictions laid forth within the protocol's specification and that all external interactions are securely performed.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. Additionally, we validated the following security questions that were part of the repository:
Adapters check whether the raw price data is valid or indicates an error condition (e.g. negative price or invalid signature). Are all cases caught?
Is the validation of the
PythStructs.Pricein the Pyth adapter correct? Should theexpoboundary be increased or decreased?Are there real-world cases where we would need a scaling factor larger than 10^38 in
ScaleUtils? Interested in examples for Pyth, Redstone and Chainlink feeds. Note that we consider pricing "by analogy" a valid use case, i.e. using a ETH/USD feed for pricing WETH/GUSD.Are there quirky feeds in Pyth, Redstone and Chainlink which break the assumptions of the adapters? For example, the Redstone adapter has
FEED_DECIMALS=8hardcoded as a constant, whereas the Chainlink adapter relies that the aggregator decimals correctly correspond to the actual decimals.Are there timing games / OEV opportunities that arise from the price caching logic in Redstone and Pyth adapters?
Are the on-chain exchange rate oracles (sDAI, rETH, stEth) immune to manipulation? Are there additional conditions that we can check which could signal that these rates cannot be trusted?
Could any of the hardcoded addresses change under normal operation conditions e.g. as part of an upgrade?
As a result of their investigation, we pinpointed multiple minor-to-moderate vulnerabilities within the system which could have had severe ramifications to its overall operation under specific circumstances.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project was satisfactory to the extent it need be, however, the Chronicle Protocol oracle implementation requires additional documentation as the protocol integrated with is not yet mature.
A total of 37 findings were identified over the course of the manual review of which 26 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| COE-01M |  |  | Inexistent Volatility Protection Mechanisms |
| COE-02M |  |  | Inexistent Validation of Acceptable Answer Range |
| COE-03M | |  | Misleading Specification of Usability |
| COE-04M | | | Potentially Unsupported Function Signature |
| COL-01M | | | Inexistent Registration of Chronicle Subscriber |
| COL-02M | | | Potentially Unsupported Function Signature |
| ERR-01M |  | | Improper Oracle Resolution Mechanism |
| ERR-02M |  | | Incorrect Oracle Resolution of EIP-4626 Vaults |
| LOE-01M | | | Potentially Stale Calculation of Exchange Rate (Asynchronous Rewards / Penalties) |
| POE-01M | | | Inexistent Configurability of Confidence Width |
| POE-02M | | | Inexistent Prevention of Overpayment |
| POE-03M | | | Potentially Unsupported Function Signature |
| POE-04M | | | Improper Validation of Exponent |
| RCO-01M | | | Improper Integration of Redstone On-Demand Feeds |
| RCO-02M | | | Inexistent Capability of Functionality Overrides |
| RCO-03M | | | Potentially Unsupported Function Signature |
| RCO-04M | | | Improper Assumption of Oracle Decimals |
| RCO-05M | | | Misconceived Data Staleness |
| ROE-01M | | | Potentially Stale Calculation of Exchange Rate (Asynchronous Rewards / Penalties) |
| SDO-01M | | | Insecure Usage of Outdated Interest Rate Accumulator |
| SUS-01M | | | Potential Increase of Acceptable Values |
| SUS-02M | | | Potential Negation Overflow |
| UVO-01M | | | Inexistent Validation of Observation Cardinality Length |
| UVO-02M | | | Insecure Typecasting Operation (TWAP) |
| UVO-03M | | | Insecure Calculation of Mean Tick |
| UVO-04M | | | Potentially Insecure TWAP Window |