This repository has been archived by the owner on May 26, 2023. It is now read-only.
evan - Data returned from latestRoundData() not sufficiently checked #234
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
evan
medium
Data returned from latestRoundData() not sufficiently checked
Summary
In the ChainlinkAdapterOracle, the data returned from registry.latestRoundData is not checked sufficiently.
Vulnerability Detail
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/ChainlinkAdapterOracle.sol#L80
^^ There is only a check on updatedAt. answeredInRound is not checked. It's possible for the price to be stale.
Impact
The price returned might be stale. Since many parts of the protocol need to get the price of assets (collateral, debt, underlyingToken), inaccurate price can lead to loss for the protocol or the users.
Code Snippet
Tool used
Manual Review
Recommendation
https://docs.chain.link/data-feeds/price-feeds/api-reference#latestrounddata
In addition to the updatedAt check, it's best to also check
answer > 0,answeredInRound >= roundID(prevent stale price),timestamp != 0(prevent incomplete round)Duplicate of #94
The text was updated successfully, but these errors were encountered: