search

code-423n4 / 2022-04-backd-findings

6 stars 4 forks source link

ChainLink latestRoundData data may be stale #220

Closed gzeoneth closed 2 years ago

gzeoneth commented 2 years ago

Originally submitted by warden 0xkatana in https://github.com/code-423n4/2022-04-backd-findings/issues/63, duplicate of https://github.com/code-423n4/2022-04-backd-findings/issues/17.

ChainLink latestRoundData data may be stale

Impact

The Chainlink API latestRoundData function returns price data with other timestamp and round data. The timestamp and round data should be validated to confirm the data is not stale.

Proof of concept

Places where latestRoundData is used https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L55 https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L64

Tools Used

Manual analysis

Recommended Mitigation Steps

When using the latestRoundData function, the return data much be checked for a stale price or an incomplete round.

JeeberC4 commented 2 years ago

Manually created required json file