search

sherlock-audit / 2023-01-sentiment-judging

2 stars 0 forks source link

simon135 - `updatedAt` from `latestRoundData()` can still be stale for less then a day and an attacker can steal funds #14

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

simon135

high

updatedAt from latestRoundData() can still be stale for less then a day and an attacker can steal funds

Summary

When a round is stale for less than a day and the price falls, an attacker can use this to their advantage by arbitrating/selling these holds. If the opposite happens an attacker can buy up a lot of tokens at a lower price and then sell them at a higher price.

Vulnerability Detail

ex: day 1: the round is stale and the price for eth is 1200 and in the real world eth price went up to 1500 an attacker can buy up all supply and then sell at a higher market for profit.

Impact

Loss to protocol and oracle will give stale pricing

Code Snippet


        if (block.timestamp - updatedAt >= 86400)
            revert Errors.StalePrice(address(0), address(ethUsdPriceFeed));

https://github.com/sentimentxyz/oracle/blob/e940955eba38562d2e27059787294e458e28fe7e/src/gmx/GLPOracle.sol#L43

Tool used

Manual Review

Recommendation

check this to add this to the `latestRoundData()

 (uint80 roundID, int256 answer, , uint256 timestamp, uint80 answeredInRound) = oracle.latestRoundData();

        require(answer > 0, "invalid_oracle_answer");
        require(answeredInRound >= roundID, "ChainLink: Stale price");
        require(timestamp > 0, "ChainLink: Round not complete");

to make sure no round is stale and the update to the round happened instead of determining it through time.

Duplicate of #31