Wrong variable in expiration check in `oracle_attest_action::validate`

I'm evaluating a new security tool for Move that highlighted a variable misuse in one suspicious case.

[Here](https://github.com/switchboard-xyz/sui/blob/c3053f782b40ea5100d3f60d476b4dc55469ff34/on_demand/sources/actions/oracle/oracle_attest_action.move#L67) it is:

```move
  // check that the guardian is valid
  assert!(oracle.expiration_time_ms() > clock.timestamp_ms(), EGuardianInvalid);
```

Comment says "guardian", error says `EGuardianInvalid`, but code checks `oracle`. The other suspicious signs I found after manual evaluation:
- `guardian.expiration_time_ms` is never checked in the source code
- Other `oracle.expiration_time_ms` checks raise `EOracleInvalid` ([here](https://github.com/switchboard-xyz/sui/blob/c3053f782b40ea5100d3f60d476b4dc55469ff34/on_demand/sources/actions/aggregator/aggregator_submit_result_action.move#L63) and [here](https://github.com/switchboard-xyz/sui/blob/c3053f782b40ea5100d3f60d476b4dc55469ff34/on_demand/sources/actions/quote/quote_submit_result_action.move#L292)).

So, I suspect the warning is valid. It is likely a typo; should be `guardian.expiration_time_ms()` or comment/error is wrong.

**Impact:** the intended validation logic seems to not work as expected, but it is not exploitable because of `min_attestations`.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wrong variable in expiration check in `oracle_attest_action::validate` #3

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Wrong variable in expiration check in oracle_attest_action::validate #3

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Wrong variable in expiration check in `oracle_attest_action::validate` #3