Description

UCO.OracleChain (lib/archethic/oracle_chain.ex) uses get_uco_price method to retrieve current uco price, however if for some reason the node cant fetch price then returns a hardcoded price:

  def get_uco_price(date = %DateTime{}) do
    case MemTable.get_oracle_data("uco", date) do
      {:ok, prices, _} ->
        Enum.map(prices, fn {pair, price} -> {String.to_existing_atom(pair), price} end)

      _ ->
        [eur: 0.05, usd: 0.07]
    end
  end

This fallback mechanism allows txs to continue using this hardcoded price, leading to bad accounting and possibly allowing defi oracle attacks such as:

• inflation attacks
• swaping tokens with an incorrect native cryptocurrency price.

Attack Example scenario

Suppose current UCO price is 1 eur and the price oracles went down.
An attacker takes advantage of this situation an tries to swap 100 euros (in a stable coin for example) for UCO:
Node returns 0.05 eur price for each uco, so the attacker receives 2000 UCOS instead of 100.

Severity

Critical

Platform

Linux

Version of Archethic apps

Latest version

Fix

Return an error and stop the tx if the price couldnt be fetched instead of a hardcoded price