search

sherlock-audit / 2023-05-ironbank-judging

2 stars 2 forks source link

ni8mare - Oracle return values are not being checked. #460

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ni8mare

medium

Oracle return values are not being checked.

Summary

Chainlink Oracle return values are not handled properly.

Vulnerability Detail

The Chainlink function registry.latestRoundData(base, quote) returns other values like roundId, updatedAt, answeredInRound which need to be validated in order to avoid getting stale prices or incomplete rounds

Impact

If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle, consumers of the oracle contract may continue using outdated data.

Code Snippet

This is seen in the PriceOracle contract, in the function getPriceFromChainlink 

    function getPriceFromChainlink(
        address base,
        address quote
    ) internal view returns (uint256) {
        (, int256 price, , , ) = registry.latestRoundData(base, quote); 
        require(price > 0, "invalid price"); 

        // Extend the decimals to 1e18.
        return
            uint256(price) *
            10 ** (18 - uint256(registry.decimals(base, quote)));
    }

Only the price is validated. Other values are not.

Tool used

Manual Review

Recommendation

It is recommended to add the following checks:

require(price > 0, "Invalid price");
require(answeredInRound >= roundID , "Stale price");
require(timestamp != 0, "Round not complete");

Duplicate of #9