Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L648
In StaderOracle::getPORFeedData, latestRoundData is used, but there is no check if the return value indicates stale data.
StaderOracle::getPORFeedData
latestRoundData
(, int256 totalETHBalanceInInt, , , ) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy()) .latestRoundData(); (, int256 totalETHXSupplyInInt, , , ) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy()) .latestRoundData(); return (uint256(totalETHBalanceInInt), uint256(totalETHXSupplyInInt), block.number);
This could lead to stale prices according to the Chainlink documentation: https://docs.chain.link/data-feeds/historical-data
Manual
(uint80 roundID, int256 answer, , uint256 updatedAt, uint80 answeredInRound) These are return parameters of latestRoundData, so can add checks like below.
(uint80 roundID, int256 answer, , uint256 updatedAt, uint80 answeredInRound)
... require(answeredInRound >= roundID, "Stale price");
Oracle
Picodes marked the issue as duplicate of #15
Picodes marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L648
Vulnerability details
Impact
In
StaderOracle::getPORFeedData
,latestRoundData
is used, but there is no check if the return value indicates stale data.This could lead to stale prices according to the Chainlink documentation: https://docs.chain.link/data-feeds/historical-data
Proof of Concept
Tools Used
Manual
Recommended Mitigation Steps
(uint80 roundID, int256 answer, , uint256 updatedAt, uint80 answeredInRound)
These are return parameters oflatestRoundData
, so can add checks like below.Assessed type
Oracle