Closed sherlock-admin closed 1 year ago
0xpinky
medium
Oracle.sol uses the chain link aggregator to fetch the asset price in real time.
Oracle.sol
It lacks to check the freshness value of asset price.
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L24-L36
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L107-L141
in above functions, it gets the price value using the chainlink aggregator.
It is not checking the information like when the price is updated.
The contract would use the stale price value which might be less or more which is in uncertain.
Both will hurt either user or the hubble.
Manual Review
follow the chainlin recommendations
check when the price is updated. validate the last updated time with current time.
Duplicate of #18
0xpinky
medium
Oracle.sol : freshness of oracle data is not validated.
Summary
Oracle.sol
uses the chain link aggregator to fetch the asset price in real time.It lacks to check the freshness value of asset price.
Vulnerability Detail
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L24-L36
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L107-L141
in above functions, it gets the price value using the chainlink aggregator.
It is not checking the information like when the price is updated.
Impact
The contract would use the stale price value which might be less or more which is in uncertain.
Both will hurt either user or the hubble.
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L107-L141
Tool used
Manual Review
Recommendation
follow the chainlin recommendations
check when the price is updated. validate the last updated time with current time.
Duplicate of #18