Closed c4-bot-7 closed 5 months ago
Max impact would be QA, but this simply seems invalid and unbacked
GalloDaSballo marked the issue as insufficient quality report
GalloDaSballo marked the issue as primary issue
trust1995 marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseOracleHub/OracleHelper.sol#L87-L100
Vulnerability details
Impact
OracleHelper::_compareMinMax()
uses deprecated Chainlink aggregator methods. Using deprecated functions could lead to unpredictable results. Those will also not be available on newer feeds.Proof of Concept
OracleHelper::_compareMinMax()
uses theminAnswer()
andmaxAnswer()
methods from Chainlink'sAggregatorV3
as a circuit breaker to detect if the oracle has died or the market has experienced a crash.Those methods have now been deprecated and Chainlink has different recommendations for mitigating these risks.
This eventually affects
WiseOracleHub
'sgetTokensFromETH()
,getTokensInETH()
,getTokensInUSD()
, andgetTokensFromUSD()
methods.Tools Used
Manual Review
Recommended Mitigation Steps
Read Chainlink's official mitigation guidelines for this issue: https://docs.chain.link/data-feeds/selecting-data-feeds#risk-mitigation
Assessed type
Oracle