As seen in the changelog, Chainlink encourages people to use the latestRoundData() function. It's not clear when the support for deprecated functions ends.
Use latestRoundData() as described in the API reference. The function also provides the decimals of the value so there's no need to call oracle.decimals().
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L459 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Vulnerability details
Impact
The Chainlink function
latestAnswer()
is deprecated. Instead, uselatestRoundData()
.As seen in the changelog, Chainlink encourages people to use the
latestRoundData()
function. It's not clear when the support for deprecated functions ends.Here's the same issue from a previous contest: https://github.com/code-423n4/2021-06-tracer-findings/issues/73
Proof of Concept
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L459 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Tools Used
Recommended Mitigation Steps
Use
latestRoundData()
as described in the API reference. The function also provides the decimals of the value so there's no need to calloracle.decimals()
.