cergyk - HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators #72
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
the
Excluded
sherlock-admin2
changed the title
github-actions
bot
changed the title
sherlock-admin
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cergyk
medium
HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators
Summary
HOTOracle::getSqrtOraclePriceX96is relying onlatestRoundData()but the returned data isn’t properly checked potentially returning stale or incorrect result.Vulnerability Detail
HOTOracle::getSqrtOraclePriceX96is relying on ChainlinklatestRoundData()function to get the price in USD: HOTOracle.sol#L142.However, according to Chainlink documentation, the returned data should be checked to ensure no stale or incorrect result:
In the current implementation, only
updatedAtis checked, which could lead to stale or incorrect result: HOTOracle.sol#L144-L146.Here’s an example of a previous report related to this issue: sherlock-audit/2023-02-blueberry-judging#94.
Impact
HOTOracle::_getOraclePriceUSDcould return stale or incorrect data, thus wrongly calculating sqrt oracle price.Code Snippet
Tool used
Manual Review, Solodit
Recommendation
Add the below checks for returned data: HOTOracle.sol#L138-L149
function _getOraclePriceUSD( AggregatorV3Interface feed, uint32 maxOracleUpdateDuration ) internal view returns (uint256 oraclePriceUSD) { - (, int256 oraclePriceUSDInt, , uint256 updatedAt, ) = feed.latestRoundData(); + (uint80 roundID, int256 answer, uint256 timestamp, uint256 updatedAt, ) = feed.latestRoundData(); + require(updatedAt >= roundID, "Stale price"); + require(timestamp != 0, "Round not complete"); + require(answer > 0, "Chainlink answer reporting 0"); if (block.timestamp - updatedAt > maxOracleUpdateDuration) { revert HOTOracle___getOraclePriceUSD_stalePrice(); } oraclePriceUSD = oraclePriceUSDInt.toUint256(); }The text was updated successfully, but these errors were encountered: