Closed howlbot-integration[bot] closed 4 months ago
alex-ppg marked the issue as unsatisfactory: Insufficient proof
hey @alex-ppg! With all due respect, I believe this report provides sufficient evidence of the vulnerability's validity. Here's why:
Furthermore, the report outlines a proper Recommended Mitigation Steps with a diff demonstrating how to prevent the bug.
Please check this again.
Hey @cholakovvv, thanks for your contribution! Chainlink has directly stated that the round ID values do not need to be sanitized and the answeredInRoundId
value is a legacy variable that has been deprecated.
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/PriceFeed.sol#L45-L58
Vulnerability details
Impact
The PriceFeed contract could be returning outdated prices, leading to inaccurate calculations wherever the contract’s functionality is used. This could result in a loss of money for both the protocol and the users.
Proof of Concept
In order for the protocol to access the square root price of the base token in terms of the quote token, it uses
PriceFeed’s
function getSqrtPrice. Within it, a call to latestRoundData fromAggregatorV3Interface
is made in order to get the price for the specified price feed. The only validation done for the returned data is for thequoteAnswer
(in other words, the answer parameter), where the check confirms ifquoteAnswer
is greater than 0.getSqrtPrice gets called in the function getSqrtIndexPrice if there is a priceFeed address set for the pair. With no check implemented, the returned stale price is then used in PredyPool, GammaTradeMarket, PositionCalculator, and PerpMarketV1. In order of the most impact:
pairId
; as a result, there isn't much of a risk, but the wrong price is still returned.As it can be seen in the official documentation of
Chainlink Data Feeds
:If the
updatedAt
parameter isn’t properly validated, the protocol could continue to operate with stale prices as it wouldn’t be aware that there’s an issue.Tools Used
Manual Review
Recommended Mitigation Steps
For price freshness, the function getSqrtPrice should be updated as follows:
Assessed type
Oracle