Blackhan Software Disclosed Report

https://github.com/blackhan-software/xpower-banq/tree/5f734cc14fd05afcf7ee221de0bb600f8ca2339c

The oracle implementations (Oracle_000, Oracle_001, etc.) use address(1) representing USD as the source token for some feeds.

These oracles fail completely because any call to initialize a _twap value through Oracle.refresh() ends up trying to set decimals via _unitOf(source), where the decimalsOf() staticcall returns false for address(1), reverting the call.

Oracle implementations Oracle_000, Oracle_001, and Oracle_002 will all have broken feeds.

AVAX_USD.getAskToken(), USD_AVAX.getBidToken(), USDC_USD.getAskToken(), USD_USDC.getBidToken(), USDT_USD.getAskToken(), USD_USDT.getBidToken() all return address(1).

When the oracle implementations are deployed, they call _enlist() to set the whitelisted feeds.

• Oracle_000.sol: _enlist(usd_avax.bidToken(), usd_avax.askToken(), usd_avax, FOR_1Y); sets 0x1 for source token address in _feed.
• Oracle_001.sol: _enlist(usd_usdc.bidToken(), usd_usdc.askToken(), usd_usdc, FOR_1Y); sets 0x1 for source token address in _feed.
• Oracle_002.sol: _enlist(usd_usdt.bidToken(), usd_usdt.askToken(), usd_usdt, FOR_1Y); sets 0x1 for source token address in _feed.

Any user who wants an updated _twap for example calls Oracle.refresh(0x1, 0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7).

This calls Oracle.retwap(0x1, 0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7).

This calls _unitOf(0x1) which calls Token.unitOf(0x1), which ends up calling Token.decimalsOf(0x1), which does 0x1.staticcall(), returning false with no data and reverting with InvalidDecimals(0x1).

This disallows _twap quote values from ever being set for these feeds.

New feed contract's would need to be coded with different value than address(1), or special considerations to return default value for address(1) source token would be needed.