search

code-423n4 / 2022-06-connext-findings

1 stars 0 forks source link

QA Report #178

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Missing validation for the return value of the price oracle

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L125

Vulnerability details

Impact

Tprice feed must be checked if the data is really updated or not.

Proof of Concept

https://github.com/code-423n4/2022-06-connext/blob/main/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L125

Tools Used

code review

Recommended Mitigation Steps

Add the following validations.

(uint80 roundId, uint256 answer, , uint256 updatedAt, uint80 answeredInRound) = oracle.latestRoundData();

require(answeredInRound >= roundId, "error message"); require(updatedAt > 0, "error message");

ecmendenhall commented 2 years ago

Duplicate of #190

jakekidd commented 2 years ago

dup https://github.com/code-423n4/2022-06-connext-findings/issues/190