The Chainlink latestAnswer function included in IAggregatorV3Interface and called in FungibleAssetVaultForDAO#_collateralPriceUsd() is considered deprecated and no longer included in the Chainlink API documentation.
It's considered best practice to use the latestRoundData function instead. (API docs). latestAnswer returns only the value of the latest price, whereas latestRoundData returns additional information that can be used to validate whether a price is stale:
Stale prices may impact collateral value and credit limit calculations used in the borrow and withdraw functions, incorrectly reporting the vault as over- or undercollateralized.
See also OpenZeppelin's guidelines for safely using latestRoundData and latestAnswer, and consider the impact of a stale or reverting price feed.
spaghettieth
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Vulnerability details
Likelihood low, impact high.
The Chainlink
latestAnswerfunction included inIAggregatorV3Interfaceand called inFungibleAssetVaultForDAO#_collateralPriceUsd()is considered deprecated and no longer included in the Chainlink API documentation.It's considered best practice to use the
latestRoundDatafunction instead. (API docs).latestAnswerreturns only the value of the latest price, whereaslatestRoundDatareturns additional information that can be used to validate whether a price is stale:[
FungibleAssetVaultForDAO#105]((https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105)Example:
Stale prices may impact collateral value and credit limit calculations used in the
borrowandwithdrawfunctions, incorrectly reporting the vault as over- or undercollateralized.See also OpenZeppelin's guidelines for safely using
latestRoundDataandlatestAnswer, and consider the impact of a stale or reverting price feed.