Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L122-L130
If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets/risk
The code does not verify that answeredInRound >= roundID, and the timestamp isn't checked because the return values are ignored:
answeredInRound >= roundID
File: contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol #1 122 function getPriceFromChainlink(address _tokenAddress) public view returns (uint256) { 123 AggregatorV3Interface aggregator = aggregators[_tokenAddress]; 124 if (address(aggregator) != address(0)) { 125 (, int256 answer, , , ) = aggregator.latestRoundData(); 126 127 // It's fine for price to be 0. We have two price feeds. 128 if (answer == 0) { 129 return 0; 130 }
Code inspection
Fetch all return values from the call to latestRoundData() and require() that answeredInRound is greater than or equal to roundID, and that updatedAt is not equal to zero
latestRoundData()
require()
answeredInRound
roundID
updatedAt
Duplicate of #190
dup https://github.com/code-423n4/2022-06-connext-findings/issues/190
Merging with #186.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L122-L130
Vulnerability details
Impact
If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets/risk
Proof of Concept
The code does not verify that
answeredInRound >= roundID
, and the timestamp isn't checked because the return values are ignored:https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L122-L130
Tools Used
Code inspection
Recommended Mitigation Steps
Fetch all return values from the call to
latestRoundData()
andrequire()
thatansweredInRound
is greater than or equal toroundID
, and thatupdatedAt
is not equal to zero