Key used in oracle entry storage is forgable by trusted publisher
Description
The oracle/library.cairo
code is responsible for much of the core implementation of the oracle itself. The oracle uses "entries" to record the current value for a given asset pair or other kinds of tracked elements. The oracle code defines a "publish entry" external function that allows callers to submit an entry to be recorded.
The main authorization check is done by checking that the caller's address is equal to the expected publisher address. The expected publisher address is reported by the publisher registry contract. This check ensures that this transaction can only be performed by a preconfigured publisher. While this check ensures that the caller is, indeed, a preconfigured publisher, it does not key the entry by this caller address.
Entries define multiple relevant properties. Namely, entries define a timestamp, the value, a pair id, a source, and a publisher.
struct Entry:
member pair_id : felt
member value : felt
member timestamp : felt
member source : felt
member publisher : felt
end
The pair id represents a string of the pair of assets this entry tracks. For example, this could be the felt value that represents the string "eth/usd"
. The other interesting property is the source. The source and the publisher are not necessarily the same. The publisher attests to the value of data from a particular source. Therefore, an entry submitted by a publisher could contain _any_ source string desired.
Entries are stored in a map called Oracle_entry_storage
, which is keyed by two values: the entry's pair id and the entry's source. Because entry sources can be any value decided by the publisher and entries are not keyed by their publisher, rogue publishers can overwrite the values set by other publishers.
Impact
Approved publishers that have turned rogue can set entries for arbitrary sources and key ids even if those sources are the responsibility of other publishers.
Recommendations
Considering either keying on publisher address or tracking which sources a particular publisher is allowed to publish. This will require an additional check that the specified source is allowed to be published by the calling publisher.
Remediation
The issue was addressed in a later update.