Open code423n4 opened 1 year ago
For transparency, the warden was unable to edit submission title. C4 staff has updated from M-11 to M-10.
Anticipating removing the up-front call to .aggregator()
and instead try-catch'ing the .latestRoundData()
call. In the catch, we can make the .aggregator()
call.
I'm having trouble adding the Confirmed
label to this one...
Hi @tbrent - I've added sponsor confirmed
on your behalf, but please let me know if that is incorrect.
Note: will also flag this for our dev team.
0xean marked the issue as satisfactory
Does it also need a "grade-x" tag? Im not sure for these scoring rules, just a remind.
Lines of code
https://github.com/reserve-protocol/protocol/blob/31394fdd52e2f16595dff36949076804b85e3f81/contracts/plugins/assets/OracleLib.sol#L24-L26
Vulnerability details
Comments
I think it's not a good idea to waste gas on that act of having no definite effect. Firstly, you can fetch the deprecating state by tracking the chainlink official data https://reference-data-directory.vercel.app/feeds-mainnet.json (It's the data source of the https://docs.chain.link/ but as soon the URLs are not documented anywhere, there is a chance they won't work in long term, but you could save/cache that data and update it from time to time.), which includes deprecating feeds, such as :
And based on my observation, most of the deprecated feeds are still running normally. The chainlink does not specify the on-chain behavior when deprecation occurs. Maybe it will set the
aggregator
to address zero, or maybe other changes will also lead to a non-message revert, such as an address like 0xdEaD . So I think it's not a good idea to add the checkEACAggregatorProxy(address(chainlinkFeed)).aggregator() == address(0)
to every oracle query, which is a waste of gas.Just let governance handle these rare events IMO.
Assessed type
Context