search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

deadrxsezzz - Possible stale values from Chainlink oracle #95

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

deadrxsezzz

medium

Possible stale values from Chainlink oracle

Summary

Insufficient checks are made when receiving values from Chainlink oracle

Vulnerability Detail

(, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(
            token,
            USD
        );
        if (updatedAt < block.timestamp - maxDelayTime)
            revert Errors.PRICE_OUTDATED(token_);
        if (answer <= 0) revert Errors.PRICE_NEGATIVE(token_);

When getting latestRoundData, the only variables checked are the updatedAt timestamp and the answer. According to chainlink docs, answeredInRound should be checked to be == roundId,

answeredInRound: The combination of aggregatorAnsweredInRound and phaseId. aggregatorAnsweredInRound: The round the answer was updated in. You can check answeredInRound against the current roundId. If answeredInRound is less than roundId, the answer is being carried over. If answeredInRound is equal to roundId, then the answer is fresh.

Impact

Stale price might be carried over

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L77-#L98

Tool used

Manual Review

Recommendation

add the following check 

        require(answeredInRound == roundID, "Stale price");

Duplicate of #118