Chainlink's latestRoundData might return stale or incorrect results.
Proof of Concept
Chainlink's latestRoundData might return stale or incorrect results
If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L56
Vulnerability details
Impact
Chainlink's
latestRoundData
might return stale or incorrect results.Proof of Concept
Chainlink's
latestRoundData
might return stale or incorrect results If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L56
Reference
Tools Used
Manual Review
Recommended Mitigation Steps
The team can consider adding checks on the return data with proper revert messages if the price is stale or the round is incomplete.