You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.
sherlock-admin opened this issue
Jun 11, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
PriceOracle.getPriceFromChainlink() does not check if the price received from Chainlink is a stale price.
Vulnerability Detail
If the price received from Chainlink is a stale price, it does not reflect the true price of the underlying / borrow assets. This will affect the calculation of _getAccountLiquidity() and _isLiquidatable().
Impact
In the worst-case scenario, a malicious user might be able to take advantage of the stale price to borrow more than is allowed or redeem assets at a higher price than the real market price.
function getPriceFromChainlink(addressbase, addressquote) internalviewreturns (uint256) {
(uint80latestRoundId, int256price,,uint256updatedAt, uint80answeredInRound) = registry.latestRoundData(base, quote); // returns roundId, answer, startedAt, updatedAt, answeredInRoundrequire(price >0, "invalid price");
require(answeredInRound >= latestRoundId,"Price Stale" );
// Extend the decimals to 1e18.returnuint256(price) *10** (18-uint256(registry.decimals(base, quote))); // this normalizes chainlink price to 18 decimals. for all pairs, 8 decimals. for eth, 18 decimals. So for example, if quote is token/usd, that's 8 decimals. So you do price * 10**(18 - 8) or price * 10**10 so you get chainlink's price in 18 decimals.
}
sherlock-admin
added
Medium
A valid Medium severity issue
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Reward
A payout will be made for this issue
and removed
Non-Reward
This issue will not receive a payout
labels
Jul 19, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
0x8chars
medium
No check for stale price from chainlink
Summary
PriceOracle.getPriceFromChainlink()
does not check if the price received from Chainlink is a stale price.Vulnerability Detail
If the price received from
Chainlink
is a stale price, it does not reflect the true price of the underlying / borrow assets. This will affect the calculation of_getAccountLiquidity()
and_isLiquidatable()
.Impact
In the worst-case scenario, a malicious user might be able to take advantage of the stale price to borrow more than is allowed or redeem assets at a higher price than the real market price.
Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66-L72
Tool used
Manual Review
Recommendation
Duplicate of #9
The text was updated successfully, but these errors were encountered: