Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Usage of deprecated chainlink function to get collateral price.
The Chainlink API (latestAnswer) used in the FungibleAssetVaultForDAO contract is deprecated:
https://web.archive.org/web/20210304160150/https://docs.chain.link/docs/deprecated-aggregatorinterface-api-reference
This method returns the last value but that value cannot be fully updated. New V3 API is much more complete and allow you to make more checks. For example when was that price updated.
https://docs.chain.link/docs/price-feeds-api-reference/
Manual code review
Use latestRoundData() function to get the price instead and perform proper checks.
latestRoundData()
Duplicate of #4
spaghettieth
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Vulnerability details
Impact
Usage of deprecated chainlink function to get collateral price.
Proof of Concept
The Chainlink API (latestAnswer) used in the FungibleAssetVaultForDAO contract is deprecated:
https://web.archive.org/web/20210304160150/https://docs.chain.link/docs/deprecated-aggregatorinterface-api-reference
This method returns the last value but that value cannot be fully updated. New V3 API is much more complete and allow you to make more checks. For example when was that price updated.
https://docs.chain.link/docs/price-feeds-api-reference/
Tools Used
Manual code review
Recommended Mitigation Steps
Use
latestRoundData()function to get the price instead and perform proper checks.