Closed sherlock-admin closed 1 year ago
n33k
medium
There is no validation done on timestamp returned from latestRoundData(). The borrower could borrow assets beyond his limit with the stale price.
The price oracle does not check round completeness.
function getPriceFromChainlink(address base, address quote) internal view returns (uint256) { (, int256 price,,,) = registry.latestRoundData(base, quote); require(price > 0, "invalid price"); // Extend the decimals to 1e18. return uint256(price) * 10 ** (18 - uint256(registry.decimals(base, quote))); }
The borrower could borrow assets beyond his limit with the wrong price and leave a bad debt.
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66-L72
Manual Review
Validate the timestamp of the oracle is up to date.
Duplicate of #9
n33k
medium
Oracle has no check for timestamp
Summary
There is no validation done on timestamp returned from latestRoundData(). The borrower could borrow assets beyond his limit with the stale price.
Vulnerability Detail
The price oracle does not check round completeness.
Impact
The borrower could borrow assets beyond his limit with the wrong price and leave a bad debt.
Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66-L72
Tool used
Manual Review
Recommendation
Validate the timestamp of the oracle is up to date.
Duplicate of #9