Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkOracleProvider.sol#L55-L58
Though it checks updatedAt with stalePriceDelay, it still gets an unintended stale price without checking roundId.
updatedAt
stalePriceDelay
roundId
In getPriceUSD function of ChainlinkOracleProvider.sol:
getPriceUSD
(, int256 answer, , uint256 updatedAt, ) = AggregatorV2V3Interface(feed).latestRoundData(); require(block.timestamp <= updatedAt + stalePriceDelay, Error.STALE_PRICE); require(answer >= 0, Error.NEGATIVE_PRICE);
latestRoundData() also returns roundId and answeredInRound, it's not safe to only check updateAt.
latestRoundData()
answeredInRound
updateAt
vim, ethers.js
Also check roundId when getting price:
+ (uint80 roundId, int256 answer, , uint256 updatedAt, uint80 answeredInRound) = AggregatorV2V3Interface(feed).latestRoundData(); require(block.timestamp <= updatedAt + stalePriceDelay, Error.STALE_PRICE); require(answer >= 0, Error.NEGATIVE_PRICE); + require(answeredInRound >= roundID, Error.STALE_PRICE);
Duplicate of #17
chase-manning
commented
2 years ago chase-manning
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkOracleProvider.sol#L55-L58
Vulnerability details
Impact
Though it checks
updatedAtwithstalePriceDelay, it still gets an unintended stale price without checkingroundId.Proof of Concept
In
getPriceUSDfunction of ChainlinkOracleProvider.sol:latestRoundData()also returnsroundIdandansweredInRound, it's not safe to only checkupdateAt.Tools Used
vim, ethers.js
Recommended Mitigation Steps
Also check
roundIdwhen getting price: