search

sherlock-audit / 2024-02-rio-network-core-protocol-judging

4 stars 4 forks source link

MatricksDeCoder - There is lack of fallback for price feeds Oracles #349

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

MatricksDeCoder

medium

There is lack of fallback for price feeds Oracles

Summary

Protocol does not implement any fallback solutions for Chainlink price feeds Oracle

Vulnerability Detail

It is not reliable to rely on single price feeds Oracle as Chainlink Oracles may have disruption, faulty, return wrong answers or Chainlink's aggregators fail to update price data

Impact

If Chainlink's aggregators fail to update the price data, the protocol will not be able to operate well as accurate prices are critical for conversions of unit of account values

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/oracle/ChainlinkPriceFeed.sol#L34

Code Snippet

  function getPrice() external view returns (uint256) {
        (, int256 price,, uint256 updatedAt,) = IChainlinkAggregatorV3(source).latestRoundData();
        if (block.timestamp > updatedAt + stalePriceDelay) revert STALE_PRICE();
        if (price <= 0) revert BAD_PRICE();

        return uint256(price);
    }

prices used in protocol rely solely on Chainlink aggregators always working or always working as expected there are no fallback solutions or alternatives to query prices

Tool used

Manual Review

Recommendation

It is highly recommended implementing fallback solutions, such as using other off-chain oracle providers and/or on-chain Oracle providers or Uniswap's TWAP etc, for feeding price data in case Chainlink's aggregators fail.

nevillehuang commented 8 months ago

Invalid, design improvement suggestion, not a security risk