search

code-423n4 / 2022-08-frax-findings

2 stars 1 forks source link

Chainlink’s latestRoundData might return stale or incorrect results #361

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L524

Vulnerability details

Impact

On ChainlinkPriceOracle.sol, we are using latestRoundData, but there is no check if the return value indicates stale data.

Proof of Concept

File: contracts/FraxlendPairCore.sol

      (, int256 _answer, , , ) = AggregatorV3Interface(oracleMultiply).latestRoundData();

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L524

        (, int256 _answer, , , ) = AggregatorV3Interface(oracleDivide).latestRoundData();

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L532

This could lead to stale prices according to the Chainlink documentation:

https://docs.chain.link/docs/historical-price-data/#historical-rounds https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round

as seen in previous contests. ex: https://code4rena.com/reports/2022-04-phuture/#m-02-chainlinks-latestrounddata-might-return-stale-or-incorrect-results

Tools Used

github

Recommended Mitigation Steps

Consider adding missing checks for stale data.

0xA5DF commented 2 years ago

This is part of the 'Known issues' (AKA out of scope):

Chainlink oracles can provide outdated answers

DrakeEvans commented 2 years ago

Out of scope part of known issues

amirnader-ghazvini commented 2 years ago

Duplicate of #179