search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

peanuts - Round completeness not check in ChainlinkAdapterOracle#latestRoundData #110

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

peanuts

medium

Round completeness not check in ChainlinkAdapterOracle#latestRoundData

Summary

The roundId is not checked for completeness, possibly leading to stale results.

Vulnerability Detail

RoundId is the identifier of the new returned price every round. Ensure that every Chainlink's price retrieval has a new roundId otherwise we are querying the stale price.

Impact

latestRoundData() might return stale results.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L87

Tool used

Manual Review

Recommendation

Add roundId check. Change from this:

        (, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(

to this:

        (uint80 roundId, int256 answer, , uint256 updatedAt, uint80 answeredInRound) = registry.latestRoundData(
         token,
         USD
        ); 

        require(answeredInRound >= roundID, "Stale price");

Duplicate of #118