The function getPORFeedData() inside the StaderOracle does make a call to the Chainlink latestRoundData() function but doesn't contain checks on the returned price (if its equal to zero or not), round completeness and update timestamp, which could lead to returning a stale or wrong price and thus the protocol functions that rely on accurate price feed might not work as expected and sometimes can lead to a loss of funds.
Proof of Concept
The issue occurs in the getPORFeedData() function below :
As you can see the function getPORFeedData() calls the function latestRoundData() to get the prices of the (ETH, ETHX) tokens using chainlink price feeds, but the function does not implement the required checks for verifying that the returned prices from the latestRoundData() call are not equal to zero and there is no check on the round timestamp and completeness to avoid outdated results, this can lead to stale prices according to Chainlink's documentation.
As the protocol uses the oracle prices to update the exchange rate with the updateERFromPORFeed(), it must receive accurate price feed and in the case when an oracle return a stale/wrong price this will have a negative impact as the new exchange rate will be wrong and can potentialy lead to a to a loss of funds.
Tools Used
Manual review
Recommended Mitigation Steps
Add the required checks whenever the latestRoundData() function is called in the aforementioned instances, the function getPORFeedData() should be updated as follows :
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L637-L651
Vulnerability details
Impact
The function
getPORFeedData()
inside the StaderOracle does make a call to the ChainlinklatestRoundData()
function but doesn't contain checks on the returned price (if its equal to zero or not), round completeness and update timestamp, which could lead to returning a stale or wrong price and thus the protocol functions that rely on accurate price feed might not work as expected and sometimes can lead to a loss of funds.Proof of Concept
The issue occurs in the
getPORFeedData()
function below :As you can see the function
getPORFeedData()
calls the functionlatestRoundData()
to get the prices of the (ETH, ETHX) tokens using chainlink price feeds, but the function does not implement the required checks for verifying that the returned prices from thelatestRoundData()
call are not equal to zero and there is no check on the round timestamp and completeness to avoid outdated results, this can lead to stale prices according to Chainlink's documentation.As the protocol uses the oracle prices to update the exchange rate with the
updateERFromPORFeed()
, it must receive accurate price feed and in the case when an oracle return a stale/wrong price this will have a negative impact as the new exchange rate will be wrong and can potentialy lead to a to a loss of funds.Tools Used
Manual review
Recommended Mitigation Steps
Add the required checks whenever the
latestRoundData()
function is called in the aforementioned instances, the functiongetPORFeedData()
should be updated as follows :Assessed type
Oracle