gzeoneth
commented
2 years ago I believe this is low risk since it can have benefit do consider the price is stale when any of the 2 price is not updated.
Open code423n4 opened 2 years ago
gzeoneth
commented
2 years ago I believe this is low risk since it can have benefit do consider the price is stale when any of the 2 price is not updated.
gzeoneth
commented
2 years ago Considering as warden's QA report.
JeeberC4
commented
2 years ago Preserving original title as warden did not submit a QA Report and issue was downgraded by judge: Bad updatedAt returned by ChainlinkUsdWrapper.latestRoundData
chase-manning
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L56
Vulnerability details
Impact
The current code returns the following:
If we're wrapping an asset that's relatively stable to eth price, the
answerhere might not be updated constantly. By returning the startedAt of the last answer update, it's possible that this answer be considered "stale" from the protocol.Recommended Mitigation Steps
It's better to return the new
updatedAt_at the greater of the two:updatedAt_from eth oracle,updatedAt_from the asset oracleThis way, if asset/eth is unchanged for a while, but there's a eth price move, we capture the correct
updatedAttimestamp