Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-84
Oracle might return stale data for basePrice and quotePrice.
refreshedAssetPerBaseInUQ in ChainlinkPriceOracle.sol does not check if the data from Chainlink is fresh (https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-84). If there is a problem with the Chainlink oracle, this contract may be supplied with incorrect or stale data.
See these previous issues for reference: https://github.com/code-423n4/2021-10-mochi-findings/issues/87 https://github.com/code-423n4/2022-01-yield-findings/issues/78
Manual code review, previous bug reports
Implement checks with require stataments using roundID and answeredInRound info supplied by Chainlink to ensure the data is fresh. See the mitigation in (https://github.com/code-423n4/2021-10-mochi-findings/issues/87).
Duplicate of #1
olivermehr
commented
2 years ago olivermehr
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-84
Vulnerability details
Impact
Oracle might return stale data for basePrice and quotePrice.
Proof of Concept
refreshedAssetPerBaseInUQ in ChainlinkPriceOracle.sol does not check if the data from Chainlink is fresh (https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-84). If there is a problem with the Chainlink oracle, this contract may be supplied with incorrect or stale data.
See these previous issues for reference: https://github.com/code-423n4/2021-10-mochi-findings/issues/87 https://github.com/code-423n4/2022-01-yield-findings/issues/78
Tools Used
Manual code review, previous bug reports
Recommended Mitigation Steps
Implement checks with require stataments using roundID and answeredInRound info supplied by Chainlink to ensure the data is fresh. See the mitigation in (https://github.com/code-423n4/2021-10-mochi-findings/issues/87).