search

code-423n4 / 2022-10-inverse-findings

0 stars 0 forks source link

Chainlink's `latestAnswer()` is deprecated and should be checked for stale data #537

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L116

Vulnerability details

Impact

Chainlink has deprecated their latestAnswer() API in favor of the latestRoundData(). The returned data should also be checked to be recent. Stale data could lead to a miscalculation of collateral value.

Proof of Concept

The Oracle's GetPrice() uses a deprecated function of the Chainlink API

function getPrice(address token, uint collateralFactorBps) external returns (uint) {
    ...
    uint price = feeds[token].feed.latestAnswer();

Tools Used

Manual review

Recommended Mitigation Steps

Use the latestRoundData() and check if the data is recent by comparing the roundIdand answeredInRound values.

function getPrice(address token, uint collateralFactorBps) external returns (uint) {
    ...
    uint price = feeds[token].feed.latestAnswer();
    require(answeredInRound >= roundID, "Stale price data.");
neumoxx commented 2 years ago

Duplicate of #601

c4-judge commented 1 year ago

0xean marked the issue as duplicate

Simon-Busch commented 1 year ago

Issue marked as satisfactory as requested by 0xean

c4-judge commented 1 year ago

Simon-Busch marked the issue as duplicate of #584