Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkCompositeOracle.sol#L180-L195
In the ChainlinkCompositeOracle.sol file, the function getPriceAndDecimals(address oracleAddress) has the lines:
bool valid = price > 0 && answeredInRound == roundId; require(valid, "CLCOracle: Oracle data is invalid");
The chainlink documentation says that answeredInRound is deprecated and therefore should no longer be used. You can check it out here: https://docs.chain.link/data-feeds/api-reference#latestrounddata
Manual Review
Because the Chainlink documentation says that "answeredInRound" is deprecated, it should not be used, as it might result in unexpected outcomes, especially since it is used as part of a require statement.
Oracle
OOS --> [N‑31] Chainlink oracle roundId and answeredIn variables no longer contain useful information
0xSorryNotSorry marked the issue as low quality report
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkCompositeOracle.sol#L180-L195
Vulnerability details
Impact
In the ChainlinkCompositeOracle.sol file, the function getPriceAndDecimals(address oracleAddress) has the lines:
bool valid = price > 0 && answeredInRound == roundId; require(valid, "CLCOracle: Oracle data is invalid");
The chainlink documentation says that answeredInRound is deprecated and therefore should no longer be used. You can check it out here: https://docs.chain.link/data-feeds/api-reference#latestrounddata
Tools Used
Manual Review
Recommended Mitigation Steps
Because the Chainlink documentation says that "answeredInRound" is deprecated, it should not be used, as it might result in unexpected outcomes, especially since it is used as part of a require statement.
Assessed type
Oracle