Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
The issue describes about not checking min/max value from Chainlink for data staleness, but this is not required
Invalid, this is the best case scenario, when chainlink feeds are down, protocol should not be allowed to proceed since important price feeds are dependent on chainlink data
404Notfound
medium
Unhandled chainlink revert would lock all price oracle access
Summary
The collateral token price will fail to update once the ChainLink price feed is blocked from visiting.
Vulnerability Detail
A call to
latestRoundData
could potentially revert and make it impossible to query prices. Feeds cannot be changed after they are configured through the functionaddCollateralToken()
so this would result in a permanent denial of service;Refer to https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles for more information regarding potential risks to account for when relying on external price feed providers.
Impact
The collateral token price will fail to update.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/tree/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L526-L539
Tool used
Manual Review
Recommendation
Surround the call to
latestRoundData()
withtry/catch
instead of calling it directly. When the call reverts, the catch block can be used to call a fallback oracle or handle the error in any other suitable way.