Closed code423n4 closed 11 months ago
The admin's overriding price set is not due to stale prices but is an intervention of a situation like depeg events etc. So one should not expect a continous dynamis price feed of the referred assets. The implementation is in the intended behaviour.
Invalid assumption.
0xSorryNotSorry marked the issue as low quality report
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L118-L138
Vulnerability details
Impact
Price feeds can be affected by network congestion, causing transactions with outdated prices to be treated as current prices. As price feeds are crucial to the protocol's functioning, this situation can lead to incorrect liquidation of users' positions and result in financial losses for users.
Proof of Concept
In
ChainlinkOracle.sol
, thegetPrice
contains two way of sourcing the price, via Chainlink and via manual input by admin.As we can check from
getPrice
function, Line 79-83, ifprices[address(token)] != 0
, it will get the price from manual input by admin, otherwise, get from chainlink.If we check again, where the
prices[asset]
manually inputed is via two function,Both functions require only two parameters: the token and the price. The timestamp of the price is not considered in these functions. As a consequence, the price feeds may encounter disruptions during network congestion, leading to the acceptance of stale prices as if they were up-to-date.
Since the accuracy of price feeds is critical to the protocol's operations, this situation could potentially result in users' positions being liquidated incorrectly and, in turn, cause financial losses for users.
Proof of Concept:
Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider to add timestamp and time threshold to prevent any stale price
Assessed type
Oracle