In ChainlinkUsdWrapper there are no validations for answer(the price) if the price is 0 or not. I checked _ethOracle(0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419)..latestRoundData(). However, this contract has no validation for the price too. In addition to that, the price feed must be checked if the data is really updated or not.
In ChainlinkOracleProvider answeredInRound >= roundId must be checked too.
chase-manning
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L64 https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L55 https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkOracleProvider.sol#L55
Vulnerability details
Impact
In ChainlinkUsdWrapper there are no validations for answer(the price) if the price is 0 or not. I checked _ethOracle(0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419)..latestRoundData(). However, this contract has no validation for the price too. In addition to that, the price feed must be checked if the data is really updated or not.
In ChainlinkOracleProvider answeredInRound >= roundId must be checked too.
Proof of Concept
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L55 https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L64 https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkOracleProvider.sol#L55
Tools Used
code review
Recommended Mitigation Steps
require(answer > 0, "error message"); require(answeredInRound >= roundId, "error message"); require(updatedAt > 0, "error message");