SPYBOY - Chainlink's latestRoundData return stale or incorrect result #94

github-actions · 2023-03-01T03:19:56Z

SPYBOY

medium

Chainlink's latestRoundData return stale or incorrect result

Summary

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/ChainlinkAdapterOracle.sol#L76

Vulnerability Detail

Impact

On ChainlinkAdapterOracle.sol, you are using latestRoundData, but there is no check if the return value indicates stale data.

function getPrice(address _token) external view override returns (uint256) {
        // remap token if possible
        address token = remappedTokens[_token];
        if (token == address(0)) token = _token;

        uint256 maxDelayTime = maxDelayTimes[token];
        if (maxDelayTime == 0) revert NO_MAX_DELAY(_token);

        // try to get token-USD price
        uint256 decimals = registry.decimals(token, USD);
        (, int256 answer, , uint256 updatedAt, ) = registry.latestRoundData(
            token,
            USD
        );
        if (updatedAt < block.timestamp - maxDelayTime)
            revert PRICE_OUTDATED(_token);

        return (answer.toUint256() * 1e18) / 10**decimals;
    }

This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/data-feeds/price-feeds/historical-data
Related report:
code-423n4/2021-05-fairside-findings#70

Code Snippet

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/ChainlinkAdapterOracle.sol#L76

Tool used

Manual Review

Recommendation

Add the below check for returned data

function getPrice(address _token) external view override returns (uint256) {
        // remap token if possible
        address token = remappedTokens[_token];
        if (token == address(0)) token = _token;

        uint256 maxDelayTime = maxDelayTimes[token];
        if (maxDelayTime == 0) revert NO_MAX_DELAY(_token);

        // try to get token-USD price
        uint256 decimals = registry.decimals(token, USD);
        (uint80 roundID, int256 answer, uint256 timestamp, uint256 updatedAt, ) = registry.latestRoundData(
            token,
            USD
        );
        //Solution
        require(updatedAt >= roundID, "Stale price");
        require(timestamp != 0,"Round not complete");
        require(answer > 0,"Chainlink answer reporting 0");

        if (updatedAt < block.timestamp - maxDelayTime)
            revert PRICE_OUTDATED(_token);

        return (answer.toUint256() * 1e18) / 10**decimals;
    }

github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Mar 1, 2023

Gornutz added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 8, 2023

hrishibhat mentioned this issue Mar 15, 2023

0x52 - ChainlinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer #18

Open

sherlock-admin added the Reward A payout will be made for this issue label Mar 19, 2023

code423n4 mentioned this issue May 8, 2023

Chainlink price feed responses are not validated code-423n4/2023-05-asymmetry-mitigation-findings#60

Open

This was referenced May 23, 2023

lil.eth - Stale or Outdated Price in getPriceUSD() Function in StableOracle Contracts sherlock-audit/2023-05-USSD-judging#171

Closed

SaharDevep - Stale or incorrect price return from Chainlink's latestRoundData sherlock-audit/2023-05-USSD-judging#766

Closed

piyushshukla599 mentioned this issue May 28, 2023

Chainlink’s latestRoundData might return stale or incorrect results sherlock-audit/2023-05-USSD#1

Open

This was referenced Jun 11, 2023

santipu_ - Lack of checks to avoid stale prices from Chainlink oracle sherlock-audit/2023-05-ironbank-judging#444

Closed

BLACK-PANDA-REACH - Oracles may return stale prices sherlock-audit/2023-05-perennial-judging#216

Closed

code423n4 mentioned this issue Jun 28, 2023

EUSDMiningIncentives.purchaseOtherEarnings() call latestRoundData() but does not check if lbrPrice > 0 code-423n4/2023-06-lybra-findings#157

Closed

This was referenced Aug 5, 2023

latestRoundData() problem Cyfrin/2023-07-foundry-defi-stablecoin#44

Closed

Data returned by latestRoundData not checked enough in order to determinate if price is stale Cyfrin/2023-07-foundry-defi-stablecoin#99

Open

sherlock-admin mentioned this issue Jan 10, 2024

cducrest-brainbot - Chainlink oracle prices can be stale or incorrect sherlock-audit/2023-12-ubiquity-judging#171

Closed

sherlock-admin3 mentioned this issue Jun 4, 2024

cergyk - HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators sherlock-audit/2024-03-arrakis-judging#72

Closed

blutorque mentioned this issue Jun 7, 2024

maushish - Risk of Incorrect Asset Pricing by Datafeed in Case of Underlying Aggregator Reaching minAnswer. sherlock-audit/2024-05-midas-judging#49

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SPYBOY - Chainlink's latestRoundData return stale or incorrect result #94

SPYBOY - Chainlink's latestRoundData return stale or incorrect result #94

github-actions bot commented Mar 1, 2023

SPYBOY - Chainlink's latestRoundData return stale or incorrect result #94

SPYBOY - Chainlink's latestRoundData return stale or incorrect result #94

Comments

github-actions bot commented Mar 1, 2023

Chainlink's latestRoundData return stale or incorrect result

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation