Lines of code
<https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/libraries/OracleLibrary.sol#L74-L88&gt;
<https://github.com/CamelotLabs/core/blob/b51753e816de02e591acb2c07dc9eed7a4179a68/contracts/CamelotPair.sol#L10&gt;

Vulnerability details

Impact

The CamelotRelayer uses the OracleLibrary as an interface for accessing oracle data from the CamelotPair contract which is the Camelot DEX’s equivalent of a pool using the OracleLibrary from UniSwapV3Pool’s periphery contracts but because the
CamelotPair doesn’t implement the same interface as a UniSwapV3Pool calls to the CamelotRelayer’s functions will revert.

Proof of Concept

Calling the getResultWithValidity function in CamelotRelayer tries to call the getOldestObservationSecondsAgo and consult functions in the OracleLibrary.

However when the getOldestObservationSecondsAgo tries to call the observations variable on IUniswapV3Pool it will revert because there is no observations variable defined on the CamelotPair pool.

The same applies to the consult function which tries to call the observe function on the CamelotPair pool which doesn’t define this function.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a CamelotRelayer that uses the interface of the CamelotPair to retrieve values.

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions