Closed code423n4 closed 3 years ago
cmichel
There is no check in UniswapV3Oracle.ethPrice if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation:
UniswapV3Oracle.ethPrice
It also seems to use the deprecated API (latestAnswer) and a hardcoded decimals of 1e8?
latestAnswer
This API is deprecated. Please see API Reference for the latest Price Feed API. Chainlink Docs
Stale prices that do not reflect the current market price anymore could be used which would influence the liquidation pricing.
Add the recommended checks:
( uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound ) = chainlink.latestRoundData(); require( timeStamp != 0, “ChainlinkOracle::getLatestAnswer: round is not complete” ); require( answeredInRound >= roundID, “ChainlinkOracle::getLatestAnswer: stale data” ); require(price != 0, "Chainlink Malfunction”);
Handle
cmichel
Vulnerability details
There is no check in
UniswapV3Oracle.ethPrice
if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation:It also seems to use the deprecated API (
latestAnswer
) and a hardcoded decimals of 1e8?Impact
Stale prices that do not reflect the current market price anymore could be used which would influence the liquidation pricing.
Recommendation
Add the recommended checks: