search

code-423n4 / 2022-06-connext-findings

1 stars 0 forks source link

Oracle data feeds are insufficiently validated #187

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L122-L130

Vulnerability details

Impact

If the oracle price feeds are insufficiently validated, there will be pricing errors leading to the miss-pricing of assets/risk

Proof of Concept

The code does not verify that answeredInRound >= roundID, and the timestamp isn't checked because the return values are ignored:

File: contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol   #1

122     function getPriceFromChainlink(address _tokenAddress) public view returns (uint256) {
123       AggregatorV3Interface aggregator = aggregators[_tokenAddress];
124       if (address(aggregator) != address(0)) {
125         (, int256 answer, , , ) = aggregator.latestRoundData();
126   
127         // It's fine for price to be 0. We have two price feeds.
128         if (answer == 0) {
129           return 0;
130         }

https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L122-L130

Tools Used

Code inspection

Recommended Mitigation Steps

Fetch all return values from the call to latestRoundData() and require() that answeredInRound is greater than or equal to roundID, and that updatedAt is not equal to zero

ecmendenhall commented 2 years ago

Duplicate of #190

jakekidd commented 2 years ago

dup https://github.com/code-423n4/2022-06-connext-findings/issues/190

0xleastwood commented 1 year ago

Merging with #186.