If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets/risk
Proof of Concept
The code does not verify that answeredInRound >= roundID for both cases where an oracle is used, and the timestamp isn't checked for the Eth oracle, because the return values are ignored:
Fetch all return values from the call to latestRoundData() and require() that answeredInRound is greater than or equal to roundID, and that updatedAt is not equal to zero
chase-manning
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L64 https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkOracleProvider.sol#L55
Vulnerability details
Impact
If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets/risk
Proof of Concept
The code does not verify that
answeredInRound >= roundIDfor both cases where an oracle is used, and the timestamp isn't checked for the Eth oracle, because the return values are ignored:https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L64
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkOracleProvider.sol#L55
Tools Used
Code inspection
Recommended Mitigation Steps
Fetch all return values from the call to
latestRoundData()andrequire()thatansweredInRoundis greater than or equal toroundID, and thatupdatedAtis not equal to zero