search

code-423n4 / 2024-01-salty-findings

4 stars 3 forks source link

If chainlink oracle get deprecated, there is no way to update new address #1011

Closed c4-bot-9 closed 4 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/CoreChainlinkFeed.sol#L1

Vulnerability details

Vulnerability details

Theoretically, chainlink oracle can be deprecated. In that case, latestRoundData() function will revert, and no data will be returned. But there is no mechanism to update new address of chainlink data feed. It will lead to scenario that there are only 2 oracle data source to fetch price:

AggregatorV3Interface immutable public CHAINLINK_BTC_USD;
AggregatorV3Interface immutable public CHAINLINK_ETH_USD; // <-- it is immutable, and value is set in the constructor

constructor( address _CHAINLINK_BTC_USD, address _CHAINLINK_ETH_USD )
    {
    CHAINLINK_BTC_USD = AggregatorV3Interface(_CHAINLINK_BTC_USD);
    CHAINLINK_ETH_USD = AggregatorV3Interface(_CHAINLINK_ETH_USD);
    }

Impact

Only two oracle data source left to fetch price, which will increase the chance that price could be manipulated.

Tools Used

Manual review.

Recommended Mitigation Steps

There should be governance proposal to update new chainlink oracle address.

Assessed type

Oracle

c4-judge commented 5 months ago

Picodes changed the severity to QA (Quality Assurance)

Picodes commented 5 months ago

Downgrading to QA as Chainlink oracles are upgradeable for this