sherlock-admin2
commented
8 months ago 3 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid, admin can set a new feed if needed
tsvetanovv commented:
According to Smilee Readme and Sherlock documentation this issue type is invalid
takarez commented:
invalid
y0ng0p3
medium
Unhandled Chainlink revert results in frozen assets
Summary
Calls to Chainlink could revert, which may result in a complete Denial-of-Service as outlined in OZ blog and make it impossible to query any prices. Feeds cannot be changed after they are configured. so this would result in a permanent DoS.
Vulnerability Detail
Chainlink’s multisigs can immediately block access to price feeds at will. Just because a price feed is working today does not mean it will continue to do so indefinitely. Therefore, to prevent DoS scenarios, smart contracts should query Chainlink price feeds using a defensive approach by surrounding calls to Chainlink with Solidity’s try/catch blocks and dealing appropriately with any errors.
In this way, if the call to the price feed fails, the caller contract is still in control and can handle any errors safely and explicitly.
Impact
Unhandled chainlink revert would lead to a complete Denial-of-Service to those calling _getFeedValue(). Resulting in locking all price oracle access. Thereby, preventing from getting premium, payoff, and swap amounts.
Code Snippet
https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L110-L125
Tool used
Manual review
Recommendation
Use a try-catch when fetching the normal latestRoundData() instead of calling it directly. In a scenario where the call reverts, the catch block can be used to call a fallback oracle or handle the error in any other suitable way.