search

sherlock-audit / 2023-02-gmx-judging

17 stars 11 forks source link

hack3r-0m - potentially using old price from pricefeed in oracle due to unchecked timestamp difference #225

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

hack3r-0m

medium

potentially using old price from pricefeed in oracle due to unchecked timestamp difference

Summary

potentially using old price from pricefeed in oracle due to unchecked timestamp difference

Vulnerability Detail

            (
                /* uint80 roundID */,
                int256 _price,
                /* uint256 startedAt */,
                /* uint256 timestamp */,
                /* uint80 answeredInRound */
            ) = priceFeed.latestRoundData();

here, timestamp can be any value in past, if difference b/w timestamp and current timestamp is high then the price is stale and should be adjusted further (or should not be used)

Impact

if external price feed does not update due to whatever reason (sequencer issues, operation issues, congestion, etc.) then oracles uses stale price feed to settle position and trades.

Code Snippet

https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/oracle/Oracle.sol#L575

Tool used

Manual Review

Recommendation

Duplicate of #151