search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

Missing check of how recent the price is can lead to stale price being used in the protocol #281

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L97-L113

Vulnerability details

Impact

In the ChainlinkOracle.sol file, in the function getChainlinkPrice(AggregatorV3Interface feed), there is the check require(updatedAt != 0, "Round is in incompleted state");. However, there is no check to see that the price is recent and acceptable. If there is a problem with the oracle, that will result in outdated pricing data being returned. As a result of this, critical calculations for allowed borrowing and liquidations would become inaccurate. It might become possible to liquidate safe positions or take out under-collateralized borrows.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a check to see if the price is recent and acceptable.

Assessed type

Oracle

0xSorryNotSorry commented 1 year ago

OOS --> [M‑02] Insufficient oracle validation

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

alcueca marked the issue as unsatisfactory: Invalid