Although the protocol recognizes that Chainlink oracles can provide outdated answers, using stale answers without further validation might not be a good practice. Moreover, in the _updateExchangeRate function, where the latestRoundData method is used, there are already checks that can possibly revert, such as if (_answer <= 0) {revert OracleLTEZero(oracleMultiply)} and if (_exchangeRate > type(uint224).max) revert PriceTooLarge(). Hence, adding more require statements that further validate whether the answers returned by latestRoundData are stale or not is appeared to be consistent.
Proof of Concept
The following steps can occur.
When calling the following _updateExchangeRate function, (, int256 _answer, , , ) = AggregatorV3Interface(oracleMultiply).latestRoundData() and (, int256 _answer, , , ) = AggregatorV3Interface(oracleDivide).latestRoundData(); are executed.
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L516-L547
Vulnerability details
Impact
Although the protocol recognizes that Chainlink oracles can provide outdated answers, using stale answers without further validation might not be a good practice. Moreover, in the
_updateExchangeRate
function, where thelatestRoundData
method is used, there are already checks that can possibly revert, such asif (_answer <= 0) {revert OracleLTEZero(oracleMultiply)}
andif (_exchangeRate > type(uint224).max) revert PriceTooLarge()
. Hence, adding morerequire
statements that further validate whether the answers returned bylatestRoundData
are stale or not is appeared to be consistent.Proof of Concept
The following steps can occur.
_updateExchangeRate
function,(, int256 _answer, , , ) = AggregatorV3Interface(oracleMultiply).latestRoundData()
and(, int256 _answer, , , ) = AggregatorV3Interface(oracleDivide).latestRoundData();
are executed.https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L516-L547
_answer
returned by the twolatestRoundData
function calls are further checked against 0._answer
. Hence, there is no guarantee if the returned answers are stale.Tools Used
VSCode
Recommended Mitigation Steps
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L516-L547 can be changed to the following code.