Open
Description
Description
UCO.OracleChain (lib/archethic/oracle_chain.ex) uses get_uco_price method to retrieve current uco price, however if for some reason the node cant fetch price then returns a hardcoded price:
def get_uco_price(date = %DateTime{}) do
case MemTable.get_oracle_data("uco", date) do
{:ok, prices, _} ->
Enum.map(prices, fn {pair, price} -> {String.to_existing_atom(pair), price} end)
_ ->
[eur: 0.05, usd: 0.07]
end
end
This fallback mechanism allows txs to continue using this hardcoded price, leading to bad accounting and possibly allowing defi oracle attacks such as:
- inflation attacks
- swaping tokens with an incorrect native cryptocurrency price.
Attack Example scenario
Suppose current UCO price is 1 eur and the price oracles went down.
An attacker takes advantage of this situation an tries to swap 100 euros (in a stable coin for example) for UCO:
Node returns 0.05 eur price for each uco, so the attacker receives 2000 UCOS instead of 100.
Severity
Critical
Platform
Linux
Version of Archethic apps
Latest version
Fix
Return an error and stop the tx if the price couldnt be fetched instead of a hardcoded price
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment