cergyk - HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators #72
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
cergyk
medium
HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators
Summary
HOTOracle::getSqrtOraclePriceX96
is relying onlatestRoundData()
but the returned data isn’t properly checked potentially returning stale or incorrect result.Vulnerability Detail
HOTOracle::getSqrtOraclePriceX96
is relying on ChainlinklatestRoundData()
function to get the price in USD: HOTOracle.sol#L142.However, according to Chainlink documentation, the returned data should be checked to ensure no stale or incorrect result:
In the current implementation, only
updatedAt
is checked, which could lead to stale or incorrect result: HOTOracle.sol#L144-L146.Here’s an example of a previous report related to this issue: sherlock-audit/2023-02-blueberry-judging#94.
Impact
HOTOracle::_getOraclePriceUSD
could return stale or incorrect data, thus wrongly calculating sqrt oracle price.Code Snippet
Tool used
Manual Review, Solodit
Recommendation
Add the below checks for returned data: HOTOracle.sol#L138-L149
The text was updated successfully, but these errors were encountered: