minhtrng - Stable prices pose risk in times of volatility

[sherlock-admin]

minhtrng

medium

Stable prices pose risk in times of volatility

Summary

The project enables usage of stable prices for oracles. This poses a risk if the price turns out to be not so stable after all.

Vulnerability Detail

The function Oracle.getUnderlyingPrice enables returning a stable price as oracle price:

function getUnderlyingPrice(address underlying)
    virtual
    external
    view
    returns(int256 answer)
{
    if (stablePrice[underlying] != 0) {
        return stablePrice[underlying];
    }

This can and has caused issues in the past (for reference). Even though the price is not hardcoded here, a change is only possible through governance, which might not be flexible and fast enough to adjust to changing environments

Impact

Price mismatch between oracle and market can cause bad behavior (e.g. reporting enough margin although there is not)

Code Snippet

https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/1f9a5ed0ca8f6004bbb7b099ecbb8ae796557849/hubble-protocol/contracts/Oracle.sol#L30-L32

Tool used

Manual Review

Recommendation

Remove the feature of stable prices

Duplicate of #69