033.md

Long Stone Urchin

High

Incorrect Parameter Passed to OracleProtectedChild

Summary

An incorrect parameter is passed to the OracleProtectedChild parent constructor in the LenderCommitmentGroup_Smart contract, as the wrong address is provided for _oracleManager, causing functionality relying on OracleProtectedChild to fail.

Root Cause

In the constructor of the LenderCommitmentGroup_Smart contract:

constructor(
    address _tellerV2,
    address _smartCommitmentForwarder,
    address _uniswapV3Factory
) OracleProtectedChild(_smartCommitmentForwarder) {
    TELLER_V2 = _tellerV2;
    SMART_COMMITMENT_FORWARDER = _smartCommitmentForwarder;
    UNISWAP_V3_FACTORY = _uniswapV3Factory;
}

https://github.com/sherlock-audit/2024-11-teller-finance-update/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L280

The _smartCommitmentForwarder is incorrectly passed as the parameter to the OracleProtectedChild parent constructor, but it should have been _oracleManager. This causes the OracleProtectedChild contract to be initialized with the wrong parameter.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The OracleProtectedChild contract is improperly initialized, functionality relying on OracleProtectedChild (e.g., addPrincipalToCommitmentGroup, burnSharesToWithdrawEarnings and liquidateDefaultedLoanWithIncentive could be exploited.

PoC

No response

Mitigation

The parameter passed to the OracleProtectedChild constructor must be corrected.

    constructor(
        address _tellerV2,
        address _smartCommitmentForwarder,
        address _uniswapV3Factory
+       address _oracleManager        
-    ) OracleProtectedChild(_smartCommitmentForwarder) {
+    ) OracleProtectedChild(_oracleManager) {    
        TELLER_V2 = _tellerV2;
        SMART_COMMITMENT_FORWARDER = _smartCommitmentForwarder;
        UNISWAP_V3_FACTORY = _uniswapV3Factory;
    }