search

code-423n4 / 2024-06-badger-validation

0 stars 0 forks source link

`latestRoundData()` Call May Result Stale #4

Closed c4-bot-4 closed 4 months ago

c4-bot-4 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-badger/blob/61df0ce381d5e1f10191257aaa304fac4776ad33/./ebtc-protocol/packages/contracts/contracts/ChainlinkAdapter.sol#L67-L67

Vulnerability details

Impact

The contract calls out to a Chainlink oracle receiving the latestRoundData(). If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).Take a look at the Chainlink documentation

Path: ./ebtc-protocol/packages/contracts/contracts/ChainlinkAdapter.sol

67:            (uint80 latestRoundId, , , , ) = _feed.latestRoundData();    // @audit-issue

67,

Recommended Mitigation Steps

Implement comprehensive checks to validate the freshness of the data returned by Chainlink's latestRoundData() in your smart contracts. This includes verifying the timestamp of the latest round against a permissible time window to ensure the data's relevance and accuracy. Additionally, consider using Chainlink's getRoundData() function with specific round IDs for historical data checks and to verify data continuity. Add the following checks:

...
( roundId, rawPrice, , updateTime, answeredInRound ) = AggregatorV3Interface(XXXXX).latestRoundData();
require(rawPrice > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");
...

Assessed type

Other

c4-bot-6 commented 4 months ago

Withdrawn by caglankaan