Last updated: March 11, 2025

SCWE-030: Insecure Oracle Data Updates

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-20: Improper Input Validation
  CWE-20 Link

Description

Insecure oracle data updates refer to the failure to properly validate or secure updates to oracle data. This can lead to: - Unauthorized actions by malicious actors. - Loss of funds or data. - Exploitation of the contract's logic.

Remediation

• Validate updates: Ensure all oracle data updates are properly validated.
• Restrict access: Restrict update permissions to trusted addresses.
• Implement timelocks: Add delays to oracle updates to allow for review.

Examples

• Insecure Oracle Updates

  pragma solidity ^0.8.0;
  
  contract InsecureOracleUpdates {
      function updatePrice(address oracle, uint newPrice) public {
          Oracle(oracle).updatePrice(newPrice); // No validation
      }
  }
  

• Secure Oracle Updates

  pragma solidity ^0.8.0;
  
  contract SecureOracleUpdates {
      address public admin;
  
      constructor(address _admin) {
          admin = _admin;
      }
  
      modifier onlyAdmin() {
          require(msg.sender == admin, "Unauthorized");
          _;
      }
  
      function updatePrice(address oracle, uint newPrice) public onlyAdmin {
          Oracle(oracle).updatePrice(newPrice); // Restricted to admin
      }
  }