search

code-423n4 / 2021-06-gro-findings

0 stars 1 forks source link

For chainlink oracle, use latestRoundData instead of latestAnswer to run more validations #81

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

a_delamo

Vulnerability details

Impact

I would recommend using latestRoundData instead of latestAnswer. This way we can run extra validations and makes sure that the data is okay.

(
    roundId,
    rawPrice,
    ,
    updateTime,
    answeredInRound
) = AggregatorV3Interface(XXXX).latestRoundData();
require(rawPrice > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");
// https://docs.chain.link/docs/developer-communications/
A new function latestRoundData has been added. It returns roundId, answer, startedAt, updatedAt, and answeredInRound. This allows consumers of reference data to make decisions around if the data is acceptable in a single function call (ex: if answeredInRound < roundId could indicate stale data).
flabble-gro commented 2 years ago

Duplicate of #106

ghoul-sol commented 2 years ago

Duplicate of #106 which means it's medium risk.