Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L454-L468
function _normalizeAggregatorAnswer(IAggregatorV3Interface aggregator) internal view returns (uint256) { int256 answer = aggregator.latestAnswer(); uint8 decimals = aggregator.decimals(); require(answer > 0, "invalid_oracle_answer"); //converts the answer to have 18 decimals return decimals > 18 ? uint256(answer) / 10**(decimals - 18) : uint256(answer) * 10**(18 - decimals); }
According to Chainlink's documentation, the latestAnswer function is deprecated. This function does not error if no answer has been reached but returns 0, causing an incorrect price.
latestAnswer
Consider using the latestRoundData method instead.
latestRoundData
See: https://docs.chain.link/docs/historical-price-data/#solidity
Duplicate of #4
spaghettieth
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L454-L468
Vulnerability details
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L454-L468
According to Chainlink's documentation, the
latestAnswerfunction is deprecated. This function does not error if no answer has been reached but returns 0, causing an incorrect price.Recommendation
Consider using the
latestRoundDatamethod instead.See: https://docs.chain.link/docs/historical-price-data/#solidity