Omniscia Moby Audit

FastPriceFeed Manual Review Findings

FastPriceFeed Manual Review Findings

FPF-01M: Inexistent Validation of Array Length Relations

Description:

The FastPriceFeed::_setPricesAndRiskPremiumsWithBits function will not properly validate the length relations between the arrays that are meant to be upheld for the code to work properly.

Impact:

The FastPriceFeed::_setPricesAndRiskPremiumsWithBits function can be invoked with malformed arrays which we consider invalid.

Example:

contracts/oracles/FastPriceFeed.sol
133// one bit contains prices of up to 8 option tokens 
134// so, 2 length of modelPriceBitArray can contain prices of up to 16 option tokens
135function _setPricesAndRiskPremiumsWithBits(uint256[] memory _modelPriceBitArray, uint256[] memory _riskPremiumBitArray, uint256[] memory _optionTokenIds, uint256[] memory _requestIndexes, uint256 _timestamp) private { 
136    for (uint256 i = 0; i < _modelPriceBitArray.length; i++) {
137        uint256 modelPriceBits = _modelPriceBitArray[i];
138        uint256 riskPremiumBits = _riskPremiumBitArray[i];
139

140        // 8 slots of 32 bits each
141        for (uint256 j = 0; j < 8; j++) {
142            uint256 index = i * 8 + j;
143

144            if (index >= _optionTokenIds.length) { return; }
145

146            uint256 optionTokenId = _optionTokenIds[i * 8 + j];
147            uint256 requestIndex = _requestIndexes[i * 8 + j];
148            bool shouldUpdate = _setLastUpdatedValues(optionTokenId, _timestamp);
149

150            if (shouldUpdate) {
151                uint256 startBit = 32 * j;
152

153                uint256 _modelPrice = (modelPriceBits >> startBit) & BITMASK_32;
154                uint256 adjustedModelPrice = (_modelPrice * PRICE_PRECISION) / SERVER_PRICE_PRECISION;
155

156                uint256 _riskPremium = (riskPremiumBits >> startBit) & BITMASK_32;
157                uint256 adjustedRiskPremium = (_riskPremium * PRICE_PRECISION) / SERVER_PRICE_PRECISION;
158

159                _setModelPrice(optionTokenId, adjustedModelPrice, fastPriceEvents);
160                _setRiskPremium(optionTokenId, adjustedRiskPremium, requestIndex, fastPriceEvents);
161            }
162        }
163    }
164}

Recommendation:

We advise a require check to be imposed ensuring that the bit-based arrays have the same length and that the option token IDs and request indexes have a length less-than-or-equal-to the bit-based length multiplied by 8 and greater-than the same value minus 8.

Alleviation (b02fae335f62cc1f5f4236fb4d982ad16a32bd26):

The array lengths are now properly validated precisely per our recommendation, ensuring that all array read operations are safely performed.

Prev

ERC20.sol (ERC-M)

Next

FeeDistributor.sol (FDR-M)

On this page