Closed code423n4 closed 11 months ago
The submission does not provide any demonstration of the issue and the reasoning.
0xSorryNotSorry marked the issue as low quality report
Lack of proof. Chainlink actually tends to return wrong data instead of reverting, which would be the safe scenario.
alcueca marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Oracles/ChainlinkOracle.sol#L100-L101
Vulnerability details
Impact
Call to latestRoundData could potentially revert and make it impossible to query any prices. the
getChainlinkPrice
function should use try/catch to avoid the case of thegetChainlinkPrice
function revert and cause dos/block the system.Proof of Concept
the function
getChainlinkPrice
using the latestRoundData without using the try/catch that is recommended to use when calling thelatestRoundData
:in this case to prevent bade scenario like denial of service and function block then it is recommended to query Chainlink price feeds using a defensive approach with Solidity’s try/catch structure. In this way, if the call to the price feed fails, the caller contract is still in control and can handle any errors safely and explicitly
Tools Used
manual review
Recommended Mitigation Steps
Surround the call to
`latestRoundData()
with try/catch instead of calling it directly.Assessed type
Oracle