The Chainlink API latestAnswer function is used in two places but it is deprecated:
This API is deprecated. Please see API Reference for the latest Price Feed API. Chainlink Docs
The latestAnswer function does not revert if no answer has been reached but returns 0. Another confusing feature of latestAnswer is that the data is reported with 18 decimals for crypto quotes but 8 decimals for FX quotes according to Chainlink docs. This requires getting the decimals from the oracles instead of hard-coding them in the contract.
Use the latestRoundData Chainlink function to get the price instead. When using the latestRoundData function, the return data much be checked for a stale price or an incomplete round.
spaghettieth
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L459 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Vulnerability details
Impact
The Chainlink API
latestAnswerfunction is used in two places but it is deprecated:The
latestAnswerfunction does not revert if no answer has been reached but returns 0. Another confusing feature oflatestAnsweris that the data is reported with 18 decimals for crypto quotes but 8 decimals for FX quotes according to Chainlink docs. This requires getting the decimals from the oracles instead of hard-coding them in the contract.Proof of concept
Places where
latestAnsweris used https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L459 https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/FungibleAssetVaultForDAO.sol#L105Tools Used
Manual analysis
Recommended Mitigation Steps
Use the
latestRoundDataChainlink function to get the price instead. When using thelatestRoundDatafunction, the return data much be checked for a stale price or an incomplete round.