search

code-423n4 / 2022-04-backd-findings

6 stars 4 forks source link

Chainlink's latestRoundData might return stale or incorrect results. #150

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L56

Vulnerability details

Impact

Chainlink's latestRoundData might return stale or incorrect results.

Proof of Concept

Chainlink's latestRoundData might return stale or incorrect results If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L56

Reference

Tools Used

Manual Review

Recommended Mitigation Steps

The team can consider adding checks on the return data with proper revert messages if the price is stale or the round is incomplete.

chase-manning commented 2 years ago

Duplicate of #128

gzeoneth commented 2 years ago

Duplicate of #17