search

sherlock-audit / 2023-02-blueberry-judging

12 stars 5 forks source link

WatchDogs - The Oracle data feed is insufficiently validated. #284

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

WatchDogs

medium

The Oracle data feed is insufficiently validated.

Summary

The Oracle data feed is insufficiently validated.

Vulnerability Detail

Insufficient validation of oracle's data feed is present. There is no check for stale prices and rounding. Price can be stale, leading to incorrect return amounts.

    function getPrice(address _token) external view override returns (uint256) {
        // remap token if possible
        address token = remappedTokens[_token];
        if (token == address(0)) token = _token;

        uint256 maxDelayTime = maxDelayTimes[token];
        if (maxDelayTime == 0) revert NO_MAX_DELAY(_token);

        // try to get token-USD price
        uint256 decimals = registry.decimals(token, USD);
        (, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(
            token,
            USD
        );
        if (updatedAt < block.timestamp - maxDelayTime)
            revert PRICE_OUTDATED(_token);

        return (answer.toUint256() * 1e18) / 10**decimals;
    }

Impact

It is possible for the price to be stale, resulting in the return value being wrong.

Code Snippet

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/ChainlinkAdapterOracle.sol#L76

Tool used

Manual Review

Recommendation

Validate data feed

(uint80 roundID, int256 answer, , uint256 updatedAt, uint80 answeredInRound) = registry.latestRoundData(
            token,
            USD
        );
    require(answer > 0, "invalid_oracle_answer");
    require(answeredInRound >= roundID, "ChainLink: Stale price");
    require(updatedAt > 0, "ChainLink: Round not complete");

Duplicate of #94