search

sherlock-audit / 2023-04-hubble-exchange-judging

7 stars 6 forks source link

darkart - Stale Price in Underlying Asset Price Calculation #204

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

darkart

medium

Stale Price in Underlying Asset Price Calculation

Summary

The getUnderlyingPrice function in the Oracle contract does not check for stale prices. This means that the function could return a price that is outdated and no longer accurate.

Vulnerability Detail

This vulnerability could allow a malicious user to purchase the underlying asset at a lower price than they should.

Impact

getUnderlyingPrice function does not check for stale prices. This could allow a malicious user to purchase the underlying asset at a lower price than they should.

Code Snippet

https://github.com/hubble-exchange/hubble-protocol/blob/d89714101dd3494b132a3e3f9fed9aca4e19aef6/contracts/Oracle.sol#L24-L35

Tool used

Manual Review

Recommendation

The getUnderlyingPrice function should be updated to check for stale prices. This can be done by adding:

require(timestamp != 0,"Stale Price");
    function getUnderlyingPrice(address underlying)
        virtual
        external
        view
        returns(int256 answer)
    {
        if (stablePrice[underlying] != 0) {
            return stablePrice[underlying];
        }
        (,answer,,,) = AggregatorV3Interface(chainLinkAggregatorMap[underlying]).latestRoundData();
        + require(timestamp != 0,"Stale Price");
        answer /= 100;

Duplicate of #18