Beautiful Fossilized Griffin - Oracle validation bypass enables price manipulation & DoS

[sherlock-admin2]

Beautiful Fossilized Griffin

Medium

Oracle validation bypass enables price manipulation & DoS

Summary

• Unsafe int256 -> uint256 casting in _getLatestPrice() method(in MixedPriceOracleV4.sol), this will cause massive fund loss for protocol users, as malicious oracles will return negative prices that convert to astronomical positive values.
• missing zero-price validation will cause the system halt for all users as faulty oracles will return 0 prices that trigger division-by-zero reverts.

Root Cause

• _getLatestPrice() method in MixedPriceOracleV4.sol:159, 163
  https://github.com/sherlock-audit/2025-07-malda/blob/main/malda-lending/src/oracles/MixedPriceOracleV4.sol#L159
  https://github.com/sherlock-audit/2025-07-malda/blob/main/malda-lending/src/oracles/MixedPriceOracleV4.sol#L163
  There is unsafe casting of int256 oracle prices to uint256 without negative value validation
• _getLatestPrice() method in MixedPriceOracleV4.sol:147
  https://github.com/sherlock-audit/2025-07-malda/blob/main/malda-lending/src/oracles/MixedPriceOracleV4.sol#L147
  The deltaBps calculation divides by eOraclePrice without checking if it equals ZERO

Internal Pre-conditions

• eOracle/Api3 feed needs to return negative int256 price value to set eOraclePrice/apiV3Price to be less than 0
• eOracle feed needs to return zero price to set eOraclePrice to be exactly 0

External Pre-conditions

• API3/eOracle needs to return negative price value due to malfunction, data corruption, system error, or network issues
• eOracle network needs to experience downtime, causing price to default to 0

Attack Path

• Attacker manipulates one oracle to return negative price, another to return zero
• Attacker first exploits the negative price bug to gain massive collateral
• Attacker then triggers the division by zero bug to prevent liquidations
• Attacker withdraws stolen funds while liquidation system is disabled
• Protocol suffers maximum damage - funds stolen AND system frozen

Impact

The protocol suffers total fund drainage. The attacker gains unlimited borrowing against worthless collateral.
It also can't process any price-dependent operations (minting, borrowing, liquidations) for affected markets. Users cannot access their funds or perform any trading activities until oracle feeds are restored.

PoC

No response

Mitigation

// Validate prices are positive before casting int256 -> uint256 in _getLatestPrice()
require(apiV3Price > 0, "API3 price must be positive");
require(eOraclePrice > 0, "eOracle price must be positive");