Open code423n4 opened 2 years ago
disagree with severity (Low risk) Issue would cause deposits and withdrawals to stop, no funds lost
In my opinion halting the protocol deserves medium risk. While no funds are lost, from brand perspective it's a second worst thing. Keeping as medium risk.
Handle
shw
Vulnerability details
Impact
According to Chainlink's documentation, the
latestAnswer
function is deprecated. This function does not error if no answer has been reached but returns 0, causing an incorrect price fed to theBuoy3Pool
.Proof of Concept
Referenced code: Buoy3Pool.sol#L207 Buoy3Pool.sol#L214-L216
Referenced documentation: Chainlink - Deprecated API Reference Chainlink - Migration Instructions Chainlink - API Reference
Recommended Mitigation Steps
Use the
latestRoundData
function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example: