CVE-2019-20809

Name of the Vulnerable Software and Affected Versions: Compound Price Oracle versions 1.0 through 2.0

Description: The issue concerns the price oracle in Compound Finance's Compound Price Oracle, where the setPrice function in PriceOracle.sol lacks sufficient input validation. This allows a price poster to set an invalid asset price, potentially violating the intended limits on price swings. The vulnerability can be exploited by a remote attacker to elevate their privileges.

Recommendations: For Compound Price Oracle versions 1.0 through 2.0, consider restricting access to the setPrice function in PriceOracle.sol to minimize the risk of exploitation. As a temporary workaround, avoid using the setPrice function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.