talegift
commented
2 years ago We'll remove dependence on Chainlink completely.
Open code423n4 opened 2 years ago
talegift
commented
2 years ago We'll remove dependence on Chainlink completely.
Handle
0xRajeev
Vulnerability details
Impact
The contract uses Chainlink’s deprecated API latestAnswer(). Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs.
Impact: Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to be redeployed.
See similar Low-severity finding L11 from OpenZeppelin's Audit of Opyn Gamma Protocol: https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
This was a Medium-severity finding even in the previous version of WildCredit contest as well: https://github.com/code-423n4/2021-07-wildcredit-findings/issues/75 where it was reported that "latestAnswer method will return the last value, but you won’t be able to check if the data is fresh. On the other hand, calling the method latestRoundData allow you to run some extra validations”
Proof of Concept
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/UniswapV3Oracle.sol#L101
See https://docs.chain.link/docs/deprecated-aggregatorinterface-api-reference/#latestanswer.
Tools Used
Manual Analysis
Recommended Mitigation Steps
Use V3 interface functions: https://docs.chain.link/docs/price-feeds-api-reference/