search

sherlock-audit / 2022-09-knox-judging

0 stars 0 forks source link

minhquanym - Oracle data feed is insufficiently validated. #118

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

minhquanym

medium

Oracle data feed is insufficiently validated.

Summary

Oracle data feed is insufficiently validated. https://github.com/sherlock-audit/2022-09-knox/blob/main/knox-contracts/contracts/pricer/PricerInternal.sol#L49-L55

Vulnerability Detail

Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong price return value.

Impact

Price can be stale and can lead to wrong price return value.

Code Snippet

Function _latestAnswer64x64() calls latestRoundData() to get the basePrice and underlyingPrice

function _latestAnswer64x64() internal view returns (int128) {
    (, int256 basePrice, , , ) = BaseSpotOracle.latestRoundData();
    (, int256 underlyingPrice, , , ) =
        UnderlyingSpotOracle.latestRoundData();

    return ABDKMath64x64.divi(underlyingPrice, basePrice);
}

Tool used

Manual Review

Recommendation

Consider adding validation for data feed

(uint80 roundID, int256 basePrice, , uint256 timestamp, uint80 answeredInRound) = BaseSpotOracle.latestRoundData();
require(basePrice > 0, "price <= 0");
require(answeredInRound >= roundID, "stale price");
require(timestamp > 0, "round not complete");

Duplicate of #137