Skip to content

[oracle-verifier] get_median_value ignores OracleEntry weights — low-weight oracles have equal influence as high-weight oracles #134

Description

@nonsobethel0-dev

Summary

get_median_value() in contracts/oracle-verifier/src/lib.rs (lines 337–367) computes a simple unweighted median of all oracle submissions. The weight field registered via add_oracle() is stored in OracleEntry but is never used during aggregation.

Code

fn get_median_value(env: &Env, data_type: &Symbol, key: &Symbol) -> i128 {
    let points: Vec<OracleDataPoint> = ...;
    let mut values: Vec<i128> = Vec::new(env);
    for i in 0..n {
        values.push_back(points.get_unchecked(i).value); // ← weight ignored
    }
    // simple insertion sort + median
}

OracleDataPoint does not even carry the oracle's weight — it stores confidence but that is also not used in the median calculation.

Impact

  • A low-quality oracle registered with weight = 1 has identical influence over the payout trigger as a premium oracle with weight = 100
  • Admin-configured oracle reputation is meaningless: the weight system provides no actual protection
  • An adversary who compromises a single low-weight oracle can shift the median by 50% when there are only 3 oracles (1 compromised vs 2 legitimate)

Fix

Implement a weighted median. For each oracle, repeat its value weight times before sorting, or use a proper weighted median algorithm:

// Load OracleEntry to get weight for each point
for i in 0..n {
    let point = points.get_unchecked(i);
    let oracle_key = StorageKey::Oracle(data_type.clone(), point.oracle.clone());
    let entry: OracleEntry = env.storage().persistent().get(&oracle_key).unwrap();
    for _ in 0..entry.weight {
        values.push_back(point.value);
    }
}

Severity: High

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions