The contract calls out to a Chainlink oracle receiving the latestRoundData(). If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).Take a look at the Chainlink documentation
Implement comprehensive checks to validate the freshness of the data returned by Chainlink's latestRoundData() in your smart contracts. This includes verifying the timestamp of the latest round against a permissible time window to ensure the data's relevance and accuracy. Additionally, consider using Chainlink's getRoundData() function with specific round IDs for historical data checks and to verify data continuity. Add the following checks:
Lines of code
https://github.com/code-423n4/2024-06-badger/blob/61df0ce381d5e1f10191257aaa304fac4776ad33/./ebtc-protocol/packages/contracts/contracts/ChainlinkAdapter.sol#L67-L67
Vulnerability details
Impact
The contract calls out to a Chainlink oracle receiving the latestRoundData(). If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).Take a look at the Chainlink documentation
67,
Recommended Mitigation Steps
Implement comprehensive checks to validate the freshness of the data returned by Chainlink's
latestRoundData()
in your smart contracts. This includes verifying the timestamp of the latest round against a permissible time window to ensure the data's relevance and accuracy. Additionally, consider using Chainlink'sgetRoundData()
function with specific round IDs for historical data checks and to verify data continuity. Add the following checks:Assessed type
Other