Deprecated Chainlink oracle API. API might stop working. Prices could be outdated. Protocol might need to be redeployed or false prices might lead to users losing funds.
The contracts use Chainlink’s deprecated API latestAnswer(). Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs.
Additionally, one cannot check if the returned price is fresh. The price might by stale (old historical price).
Tools Used
Manual review
Recommended Mitigation Steps
Use the latestRoundData() function to get the price instead.
Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example:
bunkerfinance-dev
commented
2 years ago
Lines of code
https://github.com/bunkerfinance/bunker-protocol/blob/main/contracts/PriceOracleImplementation.sol#L29
Vulnerability details
Impact
Deprecated Chainlink oracle API. API might stop working. Prices could be outdated. Protocol might need to be redeployed or false prices might lead to users losing funds.
Proof of Concept
https://github.com/bunkerfinance/bunker-protocol/blob/main/contracts/PriceOracleImplementation.sol#L29
The contracts use Chainlink’s deprecated API
latestAnswer(). Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs.Additionally, one cannot check if the returned price is fresh. The price might by stale (old historical price).
Tools Used
Manual review
Recommended Mitigation Steps
Use the
latestRoundData()function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example: