Open code423n4 opened 2 years ago
WatchPug
https://github.com/code-423n4/2021-12-perennial/blob/fd7c38823833a51ae0c6ae3856a3d93a7309c0e4/protocol/contracts/oracle/ChainlinkOracle.sol#L50-L60
function sync() public { (, int256 feedPrice, , uint256 timestamp, ) = feed.latestRoundData(); Fixed18 price = Fixed18Lib.ratio(feedPrice, SafeCast.toInt256(_decimalOffset)); if (priceAtVersion.length == 0 || timestamp > timestampAtVersion[currentVersion()] + minDelay) { priceAtVersion.push(price); timestampAtVersion.push(timestamp); emit Version(currentVersion(), timestamp, price); } }
If block.timestamp - timestampAtVersion[currentVersion()] < minDelay, there is no need to call feed.latestRoundData().
block.timestamp - timestampAtVersion[currentVersion()] < minDelay
feed.latestRoundData()
Change to:
function sync() public { if (priceAtVersion.length == 0 || block.timestamp - timestampAtVersion[currentVersion()] >= minDelay ) { (, int256 feedPrice, , uint256 timestamp, ) = feed.latestRoundData(); Fixed18 price = Fixed18Lib.ratio(feedPrice, SafeCast.toInt256(_decimalOffset)); if (priceAtVersion.length == 0 || timestamp > timestampAtVersion[currentVersion()] + minDelay) { priceAtVersion.push(price); timestampAtVersion.push(timestamp); emit Version(currentVersion(), timestamp, price); } } }
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-12-perennial/blob/fd7c38823833a51ae0c6ae3856a3d93a7309c0e4/protocol/contracts/oracle/ChainlinkOracle.sol#L50-L60
If
block.timestamp - timestampAtVersion[currentVersion()] < minDelay
, there is no need to callfeed.latestRoundData()
.Recommendation
Change to: