search

code-423n4 / 2022-04-backd-findings

6 stars 4 forks source link

Chainlink oracle read can be the inverse of the value you are looking for #159

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkOracleProvider.sol#L60

Vulnerability details

Impact

It is supposed in the code that the price P given by Chainlink will always be such as: 1 asset <-> P USD. But if the oracle happens to be such that P asset <-> 1 USD, then you should look at the inverse price given by Chainlink. Also the check is such that P>=0 , while it should be P>0. Because a price of 0 would be an impossible price + you don't want to divide by 0 when calling getPriceETH.

Tools Used

(1) https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkOracleProvider.sol#L60

Recommended Mitigation Steps

in the mapping feeds add a boolean variable to check whether we should multiply or divide to get the price feed needed. Change the check for P>0.

chase-manning commented 2 years ago

We won't add any Chainlink Oracles where the price is inverted.

gzeoneth commented 2 years ago

Not an issue.