{"componentChunkName":"component---node-modules-rocketseat-gatsby-theme-docs-core-src-templates-docs-query-js","path":"/manual-review/Oracles-ORA","result":{"data":{"mdx":{"id":"ea1c3988-8da5-5487-a028-45e24453aaa1","excerpt":"ORA-01M: Inexistent Validation of Signature Payload Submitter Type Severity Location Logical Fault Medium Oracles.sol:L148 ,  L195 ,  L238 ,  L280 Description…","fields":{"slug":"/manual-review/Oracles-ORA/"},"frontmatter":{"title":"Oracles Manual Review Findings","description":"Contains all the findings that relate to manual review on the contract codebase","image":null,"disableTableOfContents":null},"body":"var _excluded = [\"components\"];\n\nfunction _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsxRuntime classic */\n\n/* @jsx mdx */\nvar _frontmatter = {\n  \"title\": \"Oracles Manual Review Findings\",\n  \"description\": \"Contains all the findings that relate to manual review on the contract codebase\"\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n      props = _objectWithoutProperties(_ref, _excluded);\n\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h2\", {\n    \"id\": \"span-idora-01mora-01m-inexistent-validation-of-signature-payload-submitterspan\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#span-idora-01mora-01m-inexistent-validation-of-signature-payload-submitterspan\",\n    \"aria-label\": \"span idora 01mora 01m inexistent validation of signature payload submitterspan permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), mdx(\"span\", {\n    id: \"ORA-01M\"\n  }, \"ORA-01M: Inexistent Validation of Signature Payload Submitter\")), mdx(\"table\", null, mdx(\"thead\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"thead\"\n  }, mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Type\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Severity\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Location\"))), mdx(\"tbody\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"/stakewise-eth2-staking-implementation/appendix/finding-types#logical-fault\"\n  }, \"Logical Fault\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"span\", {\n    className: \"o-severity o-medium\"\n  }, \"Medium\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/stakewise/contracts/blob/2608b37dfdd47298f24d39838b5301a3ce0ecf4e/contracts/Oracles.sol#L148\"\n  }, \"Oracles.sol:L148\"), \", \", mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/stakewise/contracts/blob/2608b37dfdd47298f24d39838b5301a3ce0ecf4e/contracts/Oracles.sol#L195\"\n  }, \"L195\"), \", \", mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/stakewise/contracts/blob/2608b37dfdd47298f24d39838b5301a3ce0ecf4e/contracts/Oracles.sol#L238\"\n  }, \"L238\"), \", \", mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/stakewise/contracts/blob/2608b37dfdd47298f24d39838b5301a3ce0ecf4e/contracts/Oracles.sol#L280\"\n  }, \"L280\"))))), mdx(\"h3\", {\n    \"id\": \"description\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#description\",\n    \"aria-label\": \"description permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Description:\"), mdx(\"p\", null, \"The various signature-based functions of the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"Oracles\"), \" implementation do not validate the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"msg.sender\"), \" and thus allow anyone to submit a set of valid \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"signatures\"), \" that will result in the corresponding action being executed. While this allows for versatility, it enables complex attacks to unfold by an attacker inspecting the mempool, identifying the action being performed and executing it themselves with transactions before and after it that would normally be impossible, such as flash loans. An example of this would be the significant dilution of the new reward-per-token increase by a user inspecting the mempool for a valid \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"submitRewards\"), \" invocation, making a flash loan deposit to a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"Pool\"), \" and in turn to \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"StakedEthToken\"), \" thus diluting the rewards. While the impact is offset by the maximum pending validators threshold, it is still an example of what permissionless submission of vote executions can lead to.\"), mdx(\"h3\", {\n    \"id\": \"example\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#example\",\n    \"aria-label\": \"example permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-sol\",\n    \"metastring\": \"title=contracts/Oracles.sol highlight={12} lineNumbers=true lineOffset=141\",\n    \"title\": \"contracts/Oracles.sol\",\n    \"highlight\": \"{12}\",\n    \"lineNumbers\": \"true\",\n    \"lineOffset\": \"141\"\n  }, \"/**\\n * @dev See {IOracles-submitRewards}.\\n */\\nfunction submitRewards(\\n    uint256 totalRewards,\\n    uint256 activatedValidators,\\n    bytes[] memory signatures\\n)\\n    external override whenNotPaused\\n{\\n    require(\\n        signatures.length.mul(3) > getRoleMemberCount(ORACLE_ROLE).mul(2),\\n        \\\"Oracles: invalid number of signatures\\\"\\n    );\\n\\n    // calculate candidate ID hash\\n    uint256 nonce = rewardsNonce.current();\\n    bytes32 candidateId = ECDSAUpgradeable.toEthSignedMessageHash(\\n        keccak256(abi.encode(nonce, activatedValidators, totalRewards))\\n    );\\n\\n    // check signatures and calculate number of submitted oracle votes\\n    address[] memory signedOracles = new address[](signatures.length);\\n    for (uint256 i = 0; i < signatures.length; i++) {\\n        bytes memory signature = signatures[i];\\n        address signer = ECDSAUpgradeable.recover(candidateId, signature);\\n        require(hasRole(ORACLE_ROLE, signer), \\\"Oracles: invalid signer\\\");\\n\\n        for (uint256 j = 0; j < i; j++) {\\n            require(signedOracles[j] != signer, \\\"Oracles: repeated signature\\\");\\n        }\\n        signedOracles[i] = signer;\\n        emit RewardsVoteSubmitted(msg.sender, signer, nonce, totalRewards, activatedValidators);\\n    }\\n\\n    // increment nonce for future signatures\\n    rewardsNonce.increment();\\n\\n    // update total rewards\\n    rewardEthToken.updateTotalRewards(totalRewards);\\n\\n    // update activated validators\\n    if (activatedValidators != pool.activatedValidators()) {\\n        pool.setActivatedValidators(activatedValidators);\\n    }\\n}\\n\")), mdx(\"h3\", {\n    \"id\": \"recommendation\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#recommendation\",\n    \"aria-label\": \"recommendation permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Recommendation:\"), mdx(\"p\", null, \"We advise the functions handling \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"signatures\"), \" payloads to either be invoked only by existing \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"ORACLE_ROLE\"), \" members or by ensuring that the invocator is equal to the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"tx.origin\"), \". The latter would be a temporary solution as \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://eips.ethereum.org/EIPS/eip-3074\"\n  }, \"EIP-3074\"), \" will deprecate this security feature, however, it will be valid for at least the foreseeable future (over 6 month lifetime) given that it would be a consortium upgrade. Should it be applied, we advise the Stakewise team to simply monitor upcoming Ethereum upgrades and adjust the code as necessary given that the upgrade-able nature of the contract permits them to.\"), mdx(\"h3\", {\n    \"id\": \"alleviation\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#alleviation\",\n    \"aria-label\": \"alleviation permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Alleviation:\"), mdx(\"p\", null, \"Caller validation was introduced to the sensitive subset of functions exposed by the contracts thus alleviating this exhibit.\"), mdx(ViewDiffButton, {\n    repoUrl: \"https://github.com/stakewise/contracts\",\n    mainHash: \"2608b37dfdd47298f24d39838b5301a3ce0ecf4e\",\n    fixHash: \"63d0cccb5e238ae47831bead683e0fc72620eaaf\",\n    mdxType: \"ViewDiffButton\"\n  }), mdx(\"h2\", {\n    \"id\": \"span-idora-02mora-02m-single-point-of-failurespan\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#span-idora-02mora-02m-single-point-of-failurespan\",\n    \"aria-label\": \"span idora 02mora 02m single point of failurespan permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), mdx(\"span\", {\n    id: \"ORA-02M\"\n  }, \"ORA-02M: Single Point of Failure\")), mdx(\"table\", null, mdx(\"thead\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"thead\"\n  }, mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Type\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Severity\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Location\"))), mdx(\"tbody\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"/stakewise-eth2-staking-implementation/appendix/finding-types#logical-fault\"\n  }, \"Logical Fault\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"span\", {\n    className: \"o-severity o-medium\"\n  }, \"Medium\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/stakewise/contracts/blob/2608b37dfdd47298f24d39838b5301a3ce0ecf4e/contracts/Oracles.sol#L118-L132\"\n  }, \"Oracles.sol:L118-L132\"))))), mdx(\"h3\", {\n    \"id\": \"description-1\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#description-1\",\n    \"aria-label\": \"description 1 permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Description:\"), mdx(\"p\", null, \"The contract suffers from a SPoF whereby an oracle's membership is completely dictated by either the role administrator or the administrator of the contract which is able to grant such a role. This can affect consortiums and to that extent all votes processed via the system.\"), mdx(\"h3\", {\n    \"id\": \"example-1\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#example-1\",\n    \"aria-label\": \"example 1 permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-sol\",\n    \"metastring\": \"title=contracts/Oracles.sol highlight={5,13} lineNumbers=true lineOffset=117\",\n    \"title\": \"contracts/Oracles.sol\",\n    \"highlight\": \"{5,13}\",\n    \"lineNumbers\": \"true\",\n    \"lineOffset\": \"117\"\n  }, \"/**\\n * @dev See {IOracles-addOracle}.\\n */\\nfunction addOracle(address account) external override {\\n    grantRole(ORACLE_ROLE, account);\\n    emit OracleAdded(account);\\n}\\n\\n/**\\n * @dev See {IOracles-removeOracle}.\\n */\\nfunction removeOracle(address account) external override {\\n    revokeRole(ORACLE_ROLE, account);\\n    emit OracleRemoved(account);\\n}\\n\")), mdx(\"h3\", {\n    \"id\": \"recommendation-1\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#recommendation-1\",\n    \"aria-label\": \"recommendation 1 permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Recommendation:\"), mdx(\"p\", null, \"We advise this trait to be carefully examined and if deemed undesirable, we advise the inclusion and removal of new oracles to be performed via an on-chain vote instead.\"), mdx(\"h3\", {\n    \"id\": \"alleviation-1\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#alleviation-1\",\n    \"aria-label\": \"alleviation 1 permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Alleviation:\"), mdx(\"p\", null, \"The Stakewiste team stated that the administrator of the system is the Stakewise DAO which can only perform actions after votes have been processed and properly timelocked. As a result, we consider this exhibit dealt with.\"), mdx(ViewDiffButton, {\n    repoUrl: \"https://github.com/stakewise/contracts\",\n    mainHash: \"2608b37dfdd47298f24d39838b5301a3ce0ecf4e\",\n    fixHash: \"63d0cccb5e238ae47831bead683e0fc72620eaaf\",\n    mdxType: \"ViewDiffButton\"\n  }));\n}\n;\nMDXContent.isMDXComponent = true;","headings":[{"depth":2,"value":"<span id=\"ORA-01M\">ORA-01M: Inexistent Validation of Signature Payload Submitter</span>"},{"depth":3,"value":"Description:"},{"depth":3,"value":"Example:"},{"depth":3,"value":"Recommendation:"},{"depth":3,"value":"Alleviation:"},{"depth":2,"value":"<span id=\"ORA-02M\">ORA-02M: Single Point of Failure</span>"},{"depth":3,"value":"Description:"},{"depth":3,"value":"Example:"},{"depth":3,"value":"Recommendation:"},{"depth":3,"value":"Alleviation:"}]}},"pageContext":{"slug":"/manual-review/Oracles-ORA/","prev":{"label":"MerkleDistributor.sol (MDR-M)","link":"/manual-review/MerkleDistributor-MDR"},"next":{"label":"Pool.sol (POO-M)","link":"/manual-review/Pool-POO"}}},"staticQueryHashes":["1954253342","2328931024","2501019404","973074209"]}