search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

Deprecated value used in oracle price function could lead to unexpected outcomes #283

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkCompositeOracle.sol#L180-L195

Vulnerability details

Impact

In the ChainlinkCompositeOracle.sol file, the function getPriceAndDecimals(address oracleAddress) has the lines:

bool valid = price > 0 && answeredInRound == roundId; require(valid, "CLCOracle: Oracle data is invalid");

The chainlink documentation says that answeredInRound is deprecated and therefore should no longer be used. You can check it out here: https://docs.chain.link/data-feeds/api-reference#latestrounddata

Tools Used

Manual Review

Recommended Mitigation Steps

Because the Chainlink documentation says that "answeredInRound" is deprecated, it should not be used, as it might result in unexpected outcomes, especially since it is used as part of a require statement.

Assessed type

Oracle

0xSorryNotSorry commented 1 year ago

OOS --> [N‑31] Chainlink oracle roundId and answeredIn variables no longer contain useful information

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

alcueca marked the issue as unsatisfactory: Invalid