Skip to content
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.

rvierdiiev - PriceOracle.getPrice doesn't check for stale price #9

Open
sherlock-admin opened this issue Jun 11, 2023 · 10 comments
Open

rvierdiiev - PriceOracle.getPrice doesn't check for stale price #9

sherlock-admin opened this issue Jun 11, 2023 · 10 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin
Copy link
Contributor

rvierdiiev

medium

PriceOracle.getPrice doesn't check for stale price

Summary

PriceOracle.getPrice doesn't check for stale price. As result protocol can make decisions based on not up to date prices, which can cause loses.

Vulnerability Detail

PriceOracle.getPrice function is going to provide asset price using chain link price feeds.
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66-L72

    function getPriceFromChainlink(address base, address quote) internal view returns (uint256) {
        (, int256 price,,,) = registry.latestRoundData(base, quote);
        require(price > 0, "invalid price");

        // Extend the decimals to 1e18.
        return uint256(price) * 10 ** (18 - uint256(registry.decimals(base, quote)));
    }

This function doesn't check that prices are up to date. Because of that it's possible that price is not outdated which can cause financial loses for protocol.

Impact

Protocol can face bad debt.

Code Snippet

Provided above

Tool used

Manual Review

Recommendation

You need to check that price is not outdated by checking round timestamp.
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jun 19, 2023
This was referenced Jun 19, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Jun 19, 2023
Closed
Closed
Closed
Closed
@ibsunhub
Copy link

Same with the answer to #25.
It's not practical to setup different heartbeat for individual markets. And we have a backend to monitor the price deviation.

@ibsunhub ibsunhub added the Sponsor Disputed The sponsor disputed this issue's validity label Jun 21, 2023
@0xffff11
Copy link
Collaborator

Due to the off-chain system by Iron, issue can be a low. (Does not really affect the current state of the contracts) @ibsunhub Is it the right resolution, or thinking more about invalid?

@ib-tycho
Copy link

We still think this is invalid, thanks

@0xffff11
Copy link
Collaborator

Because Iron's off-chain safeguard, invalid

@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jun 25, 2023
@bzpassersby
Copy link

bzpassersby commented Jun 26, 2023
edited
Loading

Escalate for 10 USDC
I think this is wrongly classified as invalid.
(1) It's impossible for Watsons to know that the protocol has off-chain safeguards because the protocol explicitly said there are no off-chain mechanisms in the contest info. It's unfair for Watsons who might be misled by this answer.

Q: Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?
nope

(2)It's right and should be encouraged for Watsons to point-out insufficient on-chain checks. The current code ignores any data freshness-related variables when consuming chainlink data, which is clearly not the best practice.

And it's understandable that the protocol chose to implement such checks off-chain. But since Watsons wouldn't have known about this and that the code itself clearly has flaws. This should be at least low/informational. It's unfair for Watsons to be punished because of this.

@sherlock-admin
Copy link
Contributor Author

sherlock-admin commented Jun 26, 2023
edited
Loading

Escalate for 10 USDC
I think this is wrongly classified as invalid.
(1) It's impossible for Watsons to know that the protocol has off-chain safeguards because the protocol explicitly said there are no off-chain mechanisms in the contest info. It's unfair for Watsons who might be misled by this answer.

Q: Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?
nope

(2)It's right and should be encouraged for Watsons to point-out insufficient on-chain checks. The current code ignores any data freshness-related variables when consuming chainlink data, which is clearly not the best practice.

And it's understandable that the protocol chose to implement such checks off-chain. But since Watsons wouldn't have known about this and that the code itself clearly has flaws. This should be at least low/informational. It's unfair for Watsons to be punished because of this.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Jun 26, 2023
@hrishibhat
Copy link

hrishibhat commented Jul 16, 2023
edited
Loading

Result:
Medium
Has Duplicates
Considering this a valid medium

@sherlock-admin
Copy link
Contributor Author

sherlock-admin commented Jul 16, 2023
edited
Loading

Escalations have been resolved successfully!

Escalation status:

@hrishibhat hrishibhat reopened this Jul 16, 2023
@sherlock-admin sherlock-admin added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Jul 16, 2023
@hrishibhat hrishibhat added the Medium A valid Medium severity issue label Jul 16, 2023
@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected and removed Escalated This issue contains a pending escalation labels Jul 16, 2023
@Josephdara
Copy link

Hi @hrishibhat @sherlock-admin
I believe my issue has been omitted
#471 (comment)

@rcstanciu rcstanciu mentioned this issue Jul 19, 2023
Closed
@sherlock-admin sherlock-admin added the Has Duplicates A valid issue with 1+ other issues describing the same vulnerability label Jul 19, 2023
@ib-tycho ib-tycho added the Won't Fix The sponsor confirmed this issue will not be fixed label Jul 20, 2023
@jacksanford1
Copy link

Issue was labeled "Won't Fix" by protocol team. Categorizing as an acknowledged issue.

@sherlock-admin sherlock-admin mentioned this issue Aug 15, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@hrishibhat @jacksanford1 @Josephdara @bzpassersby @sherlock-admin @ib-tycho @ibsunhub @0xffff11