Closed c4-submissions closed 1 year ago
raymondfam marked the issue as low quality report
raymondfam marked the issue as duplicate of #66
raymondfam marked the issue as duplicate of #552
raymondfam marked the issue as sufficient quality report
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L72 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L75 https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L324-L328
Vulnerability details
Impact
It allows for the use of stale prices in cases where they will either damage the protocol or the user.
Proof of Concept
The protocol has a price oracle system where the price gets updated by an account with a privileged role by calling
updatePrice()
.The issue arises due to
lastPriceUpdate
not getting used in order to make sure old prices do not get used when interacting with the protocol.Tools Used
Manual review
Recommended Mitigation Steps
Consider implementing the following constant value:
Also add the following check before any place where
latestPrice
is used.Assessed type
Other