Closed code423n4 closed 2 years ago
leastwood
latestRoundData is missing additional validation to ensure that the round is complete and has returned a valid/expected price. This is documented here.
latestRoundData
https://github.com/code-423n4/2022-01-yield/blob/main/contracts/Cvx3CrvOracle.sol#L120-L127
(, int256 daiPrice, , , ) = DAI.latestRoundData(); (, int256 usdcPrice, , , ) = USDC.latestRoundData(); (, int256 usdtPrice, , , ) = USDT.latestRoundData(); require( daiPrice > 0 && usdcPrice > 0 && usdtPrice > 0, "Chainlink pricefeed reporting 0" );
Manual code review. Chainlink best practices.
Consider validating the output of latestRoundData to match the following code snippet:
( uint80 roundID, int256 daiPrice, , uint256 updateTime, uint80 answeredInRound ) = DAI.latestRoundData(); require( answeredInRound >= roundID, "Yield: Chainlink Price Stale" ); require(daiPrice > 0, "Yield: Chainlink Malfunction"); require(updateTime != 0, "Yield: Incomplete round");
The same recommendation can be applied to the USDC.latestRoundData() and USDT.latestRoundData() calls.
USDC.latestRoundData()
USDT.latestRoundData()
Duplicate of #136
iamsahu
commented
2 years ago
Handle
leastwood
Vulnerability details
Impact
latestRoundDatais missing additional validation to ensure that the round is complete and has returned a valid/expected price. This is documented here.Proof of Concept
https://github.com/code-423n4/2022-01-yield/blob/main/contracts/Cvx3CrvOracle.sol#L120-L127
Tools Used
Manual code review. Chainlink best practices.
Recommended Mitigation Steps
Consider validating the output of
latestRoundDatato match the following code snippet:The same recommendation can be applied to the
USDC.latestRoundData()andUSDT.latestRoundData()calls.