Theoretically, chainlink oracle can be deprecated. In that case, latestRoundData() function will revert, and no data will be returned. But there is no mechanism to update new address of chainlink data feed. It will lead to scenario that there are only 2 oracle data source to fetch price:
AggregatorV3Interface immutable public CHAINLINK_BTC_USD;
AggregatorV3Interface immutable public CHAINLINK_ETH_USD; // <-- it is immutable, and value is set in the constructor
constructor( address _CHAINLINK_BTC_USD, address _CHAINLINK_ETH_USD )
{
CHAINLINK_BTC_USD = AggregatorV3Interface(_CHAINLINK_BTC_USD);
CHAINLINK_ETH_USD = AggregatorV3Interface(_CHAINLINK_ETH_USD);
}
Impact
Only two oracle data source left to fetch price, which will increase the chance that price could be manipulated.
Tools Used
Manual review.
Recommended Mitigation Steps
There should be governance proposal to update new chainlink oracle address.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/price_feed/CoreChainlinkFeed.sol#L1
Vulnerability details
Vulnerability details
Theoretically, chainlink oracle can be deprecated. In that case,
latestRoundData()
function will revert, and no data will be returned. But there is no mechanism to update new address of chainlink data feed. It will lead to scenario that there are only 2 oracle data source to fetch price:Impact
Only two oracle data source left to fetch price, which will increase the chance that price could be manipulated.
Tools Used
Manual review.
Recommended Mitigation Steps
There should be governance proposal to update new chainlink oracle address.
Assessed type
Oracle