-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chainlink's latestRoundData might return stale or incorrect results #490
Comments
JeffCX marked the issue as primary issue |
LybraFinance marked the issue as disagree with severity |
@LybraFinance - can you explain why you disagree with the severity here? |
0xean marked the issue as satisfactory |
Because we use Chainlink price feeds to report LBR price only in specific places, even if there is a delay, the impact is minimal. Moreover, the likelihood of delays occurring is low, so we consider this to be a low-risk scenario. |
I understand your point, but do think validating the values being returned from chainlink is best practice and in the past has qualified as M severity in c4 contests. I can see how it would be considered a leak of value in the scenario's being used, M seems reasonable but I am open to further discussion. |
This was actually found during the bot race, closing as out of scope |
0xean marked the issue as unsatisfactory: |
0xean changed the severity to QA (Quality Assurance) |
0xean marked the issue as grade-c |
Lines of code
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L151
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L152
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L212
Vulnerability details
Impact
On
EUSDMiningIncentives.sol
, the team is usinglatestRoundData
, but there is no check if the return value indicates stale data.This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds
https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
Proof of Concept
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L151
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L152
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L212
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: