Missing Oracle Access Control
Description
The Oracle update is not restricted in the $F() function, allowing unauthorized access and potential manipulation of the oracle.
Examples
Insecure Code
solidity
function updateOracle() external { _updateOracle(block.number, ...); }Secure Code
solidity
function updateOracle() external onlyVault { _updateOracle(block.number, ...); }Remediation
Add access control to restrict the Oracle update to only authorized users, such as the vault or balancer.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0483 |
| Category | AccessControl |
| Severity | CRITICAL |
| CWE | CWE-284 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | oracle, access control |
| OWASP | N/A |