You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
github-actionsbot opened this issue
Mar 1, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
The price returned might be stale. Since many parts of the protocol need to get the price of assets (collateral, debt, underlyingToken), inaccurate price can lead to loss for the protocol or the users.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
evan
medium
Data returned from latestRoundData() not sufficiently checked
Summary
In the ChainlinkAdapterOracle, the data returned from registry.latestRoundData is not checked sufficiently.
Vulnerability Detail
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/ChainlinkAdapterOracle.sol#L80
^^ There is only a check on updatedAt. answeredInRound is not checked. It's possible for the price to be stale.
Impact
The price returned might be stale. Since many parts of the protocol need to get the price of assets (collateral, debt, underlyingToken), inaccurate price can lead to loss for the protocol or the users.
Code Snippet
Tool used
Manual Review
Recommendation
https://docs.chain.link/data-feeds/price-feeds/api-reference#latestrounddata
In addition to the updatedAt check, it's best to also check
answer > 0
,answeredInRound >= roundID
(prevent stale price),timestamp != 0
(prevent incomplete round)Duplicate of #94
The text was updated successfully, but these errors were encountered: