search

Cyfrin / 2023-07-foundry-defi-stablecoin

38 stars 33 forks source link

`latestRoundData()` has no check for round completeness #1036

Open codehawks-bot opened 1 year ago

codehawks-bot commented 1 year ago

latestRoundData() has no check for round completeness

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/libraries/OracleLib.sol#L21C4-L34C1

Summary

No check for RoundCompleteness could lead to stale prices and wrong price return value, or outdated price.

Vulnerability Details

The oracle wrapper staleCheckLatestRoundData(priceFeed) call out chainlink oracle with latestRoundData() to get the price of some token. Although the returned timestamp is checked that it's within the TIMEOUT,but there is no check for round completeness.

https://docs.chain.link/data-feeds/historical-data

Impact

If there is a problem with chainlink starting a new round and finding consensus on the new value for the oracle (e.g. chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale data (if oracles are unable to submit no new round is started).

This could lead to stale prices and wrong price return value, or outdated price https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/libraries/OracleLib.sol#L21C4-L34C1

Reference- https://solodit.xyz/issues/m-7-latestrounddata-has-no-check-for-round-completeness-sherlock-isomorph-isomorph-git

Tools Used

Manual review

Recommendations

Validate data feed for round completeness

+ if(answeredInRound < roundId) revert RoundNotComplete()