Description

The forwarder calls performUpkeep in OstiumPriceUpKeep in order to supply Chainlink price data and fulfill a trade. However, when the verifier response is decoded, the feed ID is not set to any variable:

if (!isPremium) {
    (, validFromTimestamp, observationsTimestamp, nativeFee,,, a.price) =
        abi.decode(verifierResponse,
            (bytes32, uint32, uint32, uint192, uint192, uint192, int192));
} else {
    (, validFromTimestamp, observationsTimestamp, nativeFee,,, a.price,
        a.bid, a.ask) = abi.decode(
          verifierResponse,
            (bytes32, uint32, uint32, uint192, uint192, uint192, int192,
                int192, int192)
    );
}

Here, the first field in the struct verifierResponse is the chain ID, and it is not assigned to a variable. At this place in the code, the intended chain ID is already in memory because the order is copied to memory.

Impact

If an upkeeper accidentally uses the incorrect price feed, the on-chain code will not check it and will fulfill the order at an incorrect price. This throws off the net PNL of all positions in the feed as well as impacts the profit or loss for this position.

Recommendations

This issue is only of informational severity because upkeepers are permissioned and can already affect the price to a degree by varying when exactly to select the price. However, since this is an easy check to make and the relevant quantities are already in memory, we recommend checking that the feed ID is correct.

Remediation

This issue has been acknowledged by Ostium Labs, and fixes were implemented in the following commits:

• 4be09bc8↗
• 3669f464↗