Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data returned by latestRoundData not checked enough in order to determinate if price is stale #99

Open
codehawks-bot opened this issue Aug 5, 2023 · 0 comments
Open

Data returned by latestRoundData not checked enough in order to determinate if price is stale #99

codehawks-bot opened this issue Aug 5, 2023 · 0 comments
Labels
ai-dup-75 ai-dup-152 ai-dup-312 ai-dup-537 ai-dup-970 finding-oracle-stale medium

Comments

@codehawks-bot
Copy link

Data returned by latestRoundData not checked enough in order to determinate if price is stale

Severity

Medium Risk

Relevant GitHub Links

sherlock-audit/2023-02-blueberry-judging#94

Summary

When Chainlink Aggregator is used to fetch the latest price of a token, there are no enough checks to ensure if returned price is stale.

Vulnerability Details

Currently, in OracleLib, when latestRoundData is read, there is the check if the updatedAt is is the value from block.timestamp and block.timestamp - 3 hours. In case this is not the case, the price is considered stale. This alone cannot be used to determine if the price is stale. This should also be reviewed, as some of the price feeds may not be updated for a long time, and the price may still be valid (eg in case market is not so active or there is no fluctionation in price).

Impact

The prices returned can be stale, therefore the calculations price, like getting health factor for the user, would essentially be incorrect and therefore set protocol in an incorrect state by the wrong output of health factor calculations.

Tools Used

Manual review

Recommendations

In order to properly evaluate whether the price is up-to-date, the following checks should also be performed:

(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
            priceFeed.latestRoundData();

require(price > 0, OracleLib__PriceCannotBeZero());
require (answeredInRound >= roundId, OracleLib__StalePrice());
require(updatedAt != 0, OracleLib__RoundNotCompleted());
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ai-dup-75 ai-dup-152 ai-dup-312 ai-dup-537 ai-dup-970 finding-oracle-stale medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hans-cyfrin @codehawks-bot