search

sherlock-audit / 2022-09-notional-judging

4 stars 2 forks source link

ak1 - oracle : latestRoundData will not tell the latest price feed data. #136

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ak1

high

oracle : latestRoundData will not tell the latest price feed data.

Summary

The implementation that was done in wstETHChainlinkOracle.sol to decide the price of token will not tell the latest price feed data. The price data could be outdated.

I see the price feed data is used in other contracts as well.

Vulnerability Detail

old price feed data can be used to decide the price of the token. Either the price could be low or high. but it is not the latest data.

function _calculateAnswer() internal view returns (
    uint80 roundId,
    int256 answer,
    uint256 startedAt,
    uint256 updatedAt,
    uint80 answeredInRound
) {
    int256 baseAnswer;
    (
        roundId,
        baseAnswer,
        startedAt,
        updatedAt,
        answeredInRound
    ) = baseOracle.latestRoundData();
    require(baseAnswer > 0, "Chainlink Rate Error");

    answer = baseAnswer * wstETH.stEthPerToken().toInt() / baseDecimals;
}

when we look at the price calculation, the data obtained could be answeredInRound < roundId which means that the data could be older one.

Impact

The price feed data must be stale(old one) that can be used to fix the price of the token.

Code Snippet

https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/trading/oracles/wstETHChainlinkOracle.sol#L26-L44

Tool used

Manual Review

Recommendation

Update the codes as shown below while calculating the latestRoundData. before calculating the answer validate for latest feed and add below check. require( answeredInRound >= roundID, "RoundID from Oracle is outdated!" );

Duplicate of #133