search

code-423n4 / 2022-04-phuture-findings

0 stars 0 forks source link

latestRoundData data insufficiently validated #9

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-L84

Vulnerability details

Impact

The data returned by the Chainlink latestRoundData() function may be stale. There should be checks applied on the data received from Chainlink to validate that it is not stale. https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round

Proof of Concept

The ChainlinkPriceOracle contract has these two lines https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-L84

(, int basePrice, , , ) = baseAggregator.latestRoundData();
(, int quotePrice, , , ) = assetInfo.aggregator.latestRoundData();

The Chainlink oracle data is not validated properly. There is no check for stale price and round completeness. The price returned can be stale and can lead to inaccurate return values.

Tools Used

Manual analysis

Recommended Mitigation Steps

Validate the round and timestamp returned by the oracle data

(uint80 roundID, int basePrice, , uint256 timestamp, uint80 answeredInRound) = baseAggregator.latestRoundData();
require(basePrice > 0, "price is 0"); 
require(answeredInRound >= roundID, "stale price");
require(timestamp > 0, "incomplete round");

(uint80 roundID, int quotePrice, , uint256 timestamp, uint80 answeredInRound) = assetInfo.aggregator.latestRoundData();
require(quotePrice > 0, "price is 0");
require(answeredInRound >= roundID, "stale price");
require(timestamp > 0, "incomplete round");
olivermehr commented 2 years ago

Duplicate of #1