search

sherlock-audit / 2023-02-bond-judging

2 stars 0 forks source link

martin - Insufficient oracle data validation #53

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

martin

medium

Insufficient oracle data validation

Summary

Missing oracle data feed validation check

Vulnerability Detail

Missing oracle data feed validation check

Impact

Each time the oracle updates the price feed, it generates a new roundId. The roundId should match the timestamp of the price data, which can also be obtained from oracle's smart contract. The roundIds should be in sequential order with no missing values.

Code Snippet

135: (uint80 roundId, int256 priceInt, , uint256 updatedAt, uint80 answeredInRound) = feed_

https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/BondChainlinkOracle.sol#L135

Tool used

Manual Review

Recommendation

Add the following check and keep reverting if true.

- answeredInRound != roundId

+ (roundId >= answeredInRound);
Oighty commented 1 year ago

The proposed change does not improve the security. In the case that answeredInRound > roundId something may have gone wrong with the oracle, and we would want to revert. Reverting unless roundId == answeredInRound prevents that issue.