Skip to content
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.

Ocean_Sky - Chainlink's latestRoundData return stale or incorrect result #131

Closed
sherlock-admin opened this issue Jun 15, 2023 · 0 comments
Closed

Ocean_Sky - Chainlink's latestRoundData return stale or incorrect result #131

sherlock-admin opened this issue Jun 15, 2023 · 0 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

Ocean_Sky

medium

Chainlink's latestRoundData return stale or incorrect result

Summary

Chainlink's latestRoundData return stale or incorrect result

Vulnerability Detail

There are missing checks on the return values from Chainlink's latestRoundData used by function sync() and getLatestRound
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/ChainlinkOracle.sol#L59-L79

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/types/ChainlinkRegistry.sol#L34-L37

This could result to get stale prices from price oracle. See support from Chainlink documentation
https://docs.chain.link/data-feeds/historical-data

Related Issue report:
sherlock-audit/2023-02-blueberry-judging#63

Impact

Stale prices could result wrong implementation of liquidations.

Code Snippet

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/ChainlinkOracle.sol#L59-L79

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/types/ChainlinkRegistry.sol#L34-L37

Tool used

Manual Review

Recommendation

Consider add this checking on getLatestRound function:

(uint80 roundId, int256 answer, , uint256 updatedAt, uint80 answeredInRound ) =
FeedRegistryInterface(ChainlinkRegistry.unwrap(self)).latestRoundData(base, quote);

require (answer >= 0, "Negative price");
require(answeredInRound >= roundId,"Price Stale" );
...
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jun 19, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Jun 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin