search

code-423n4 / 2022-10-inverse-findings

0 stars 0 forks source link

Flawed chainlink integration #512

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L6 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L82 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L116

Vulnerability details

Impact

The chainlink data is currently requested through an deprecated endpoint. Also, there are no checks to the validity of the data. Stale data could lead to users borrowing more than they should be allowed to, or users being liquidated even though they have enough collateral.

Proof of Concept

The Oracle currently uses the latestAnswer function of a Chainlink feed to retrieve current prices:

function viewPrice(address token, uint collateralFactorBps) external view returns (uint) {
    ...
    uint price = feeds[token].feed.latestAnswer();
    ...
}

function getPrice(address token, uint collateralFactorBps) external returns (uint) {
    ...
    uint price = feeds[token].feed.latestAnswer();
    ...
}

This function is deprecated according to Chainlinks API reference for price feeds and offers no information on the latest time of update.

Tools Used

Manual Review

Recommended Mitigation Steps

Use latestRoundData instead (refer to Chainlink docs linked above). This function also returns the time of update, which can be used to check for staleness of data, which should be handled (for example by emitting events or having a pause mechanism for extended staleness).

neumoxx commented 2 years ago

Duplicate of #601

c4-judge commented 2 years ago

0xean marked the issue as duplicate

Simon-Busch commented 1 year ago

Issue marked as satisfactory as requested by 0xean

c4-judge commented 1 year ago

Simon-Busch marked the issue as duplicate of #584