search

code-423n4 / 2022-01-yield-findings

1 stars 0 forks source link

Chainlink oracles might return stale data #138

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

hack3r-0m

Vulnerability details

Location: https://github.com/code-423n4/2022-01-yield/blob/main/contracts/Cvx3CrvOracle.sol#L120-L122

DAI.latestRoundData returns data from the latest round, but there is no guarantee that the latest round happened frequently, it might be a case where latestRoundData has happened 1 hour or 1 day ago.

This can lead to stale data used for calculation and accounting.

Tools Used

Manual Review

Recommended Mitigation Steps

(
    uint80 roundID, 
    int price,
    uint startedAt,
    uint timeStamp,
    uint80 answeredInRound
) = priceFeed.latestRoundData();

check that startedAt and timestamp are within certain permissible bounds (for e.g difference between current timestamp and latest round timestamp is not more than 1 hour)

alcueca commented 2 years ago

Duplicate of #94

GalloDaSballo commented 2 years ago

Duplicate of #136