Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L63-L66
function _ethPrice() private view returns (int256) { (, int256 answer, , , ) = _ethOracle.latestRoundData(); return answer; }
On ChainlinkUsdWrapper.sol, we are using latestRoundData, but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:
ChainlinkUsdWrapper.sol
latestRoundData
Consider adding missing checks for stale data.
For example:
(uint80 roundID, int256 answer, , uint256 updatedAt, uint80 answeredInRound) = _ethOracle.latestRoundData(); require(answer > 0, "Chainlink price <= 0"); require(answeredInRound >= roundID, "Stale price"); require(updatedAt != 0, "Round not complete");
Duplicate of #17
https://github.com/backdfund/protocol/pull/292
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L63-L66
Vulnerability details
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L63-L66
On
ChainlinkUsdWrapper.sol
, we are usinglatestRoundData
, but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:Recommendation
Consider adding missing checks for stale data.
For example: