sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin2 closed 9 months ago
sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Robert
medium
Chainlink Returns Allow a 0 Price
Summary
When determining the validity of a Chainlink price, the if statement demands price must be
>=0. This statement is ensuring the Chainlink feed is not returning false data in any way, but if it's returning a 0 price it is almost certainly false data.Vulnerability Detail
There shouldn't be any situation in a Chainlink feed where a 0 price is valid, and a 0 price would much more likely signify that there's a bug in the system or the feed isn't returning correct data for some reason.
Impact
If price is falsely returned as 0 the impact could be disastrous and lead to infinite borrowing and large liquidations of an asset, but it's an unlikely scenario this would occur so it's likely a medium impact.
Code Snippet
if ( roundId > 0 && answer_ >= 0 && updatedAt > block.timestamp - oracleInformation_.cutOffTime && updatedAt <= block.timestamp ) { success = true; answer = uint256(answer_); }https://github.com/arcadia-finance/accounts-v2/blob/9b24083cb832a41fce609a94c9146e03a77330b4/src/oracle-modules/ChainlinkOM.sol#L122Tool used
Manual Review
Recommendation
Change the
>=to>.Duplicate of #126