Lack of function to update the chainlink oracle address if the chainlink price is deprecated.
Summary
Lack of function to update the chainlink oracle address.
Vulnerability Detail
In the current implementation, once the chainlink oracle price feed address is set in OracleManager.sol,
the oracle address cannot be updated.
constructor(
address _chainlinkOracle,
uint256 epochLength,
uint256 minimumExecutionWaitThreshold
) {
chainlinkOracle = AggregatorV3Interface(_chainlinkOracle);
MINIMUM_EXECUTION_WAIT_THRESHOLD = minimumExecutionWaitThreshold;
EPOCH_LENGTH = epochLength;
// NOTE: along with the getCurrentEpochIndex function this assignment gives an initial epoch index of 1,
// and this is set at the time of deployment of this contract
// i.e. calling getCurrentEpochIndex() at the end of this constructor will give a value of 1.
initialEpochStartTimestamp = getEpochStartTimestamp() - epochLength;
}
While the assumption is that the chainlink oracle will always be reliable and deliver up-to-date price feed, this might not be the case.
Impact
Let us say, We use the chainlink price feed for ETH / USD
but if chainlink mark this address deprecated and will not continue to support and update the feed from this address, or chainlink update the address of the ETH / USD price feed.
function updateSystemStateUsingValidatedOracleRoundIds
ctf_sec
medium
Lack of function to update the chainlink oracle address if the chainlink price is deprecated.
Summary
Lack of function to update the chainlink oracle address.
Vulnerability Detail
In the current implementation, once the chainlink oracle price feed address is set in OracleManager.sol,
the oracle address cannot be updated.
While the assumption is that the chainlink oracle will always be reliable and deliver up-to-date price feed, this might not be the case.
Impact
Let us say, We use the chainlink price feed for ETH / USD
https://docs.chain.link/docs/data-feeds/price-feeds/addresses/?network=ethereum
https://etherscan.io/address/0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419
but if chainlink mark this address deprecated and will not continue to support and update the feed from this address, or chainlink update the address of the ETH / USD price feed.
would revert.
Code Snippet
https://github.com/sherlock-audit/2022-11-float-capital/blob/main/contracts/oracles/OracleManager.sol#L33-L46
Tool used
Manual Review
Recommendation
We recommend adding a function in the OracleManager.sol to let the admin update the oracle feed address.