search

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

Chainlink's latestRoundData might return stale or incorrect results #328

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L648

Vulnerability details

Impact

In StaderOracle::getPORFeedData, latestRoundData is used, but there is no check if the return value indicates stale data.

        (, int256 totalETHBalanceInInt, , , ) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy())
            .latestRoundData();
        (, int256 totalETHXSupplyInInt, , , ) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy())
            .latestRoundData();
        return (uint256(totalETHBalanceInInt), uint256(totalETHXSupplyInInt), block.number);

This could lead to stale prices according to the Chainlink documentation: https://docs.chain.link/data-feeds/historical-data

Proof of Concept

Tools Used

Manual

Recommended Mitigation Steps

(uint80 roundID, int256 answer, , uint256 updatedAt, uint80 answeredInRound) These are return parameters of latestRoundData, so can add checks like below.

        ...
        require(answeredInRound >= roundID, "Stale price");

Assessed type

Oracle

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #15

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory