ChainLink pricer is using a deprecated API #165
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-655
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
GalloDaSballo marked the issue as duplicate of #655 |
c4-judge
added
the
satisfactory
|
GalloDaSballo marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/utils/TradingLibrary.sol#L113
Vulnerability details
Description
According to Chainlink’s documentation, the
latestAnswerfunction is deprecated.This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data.
Proof Of Concept
https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/utils/TradingLibrary.sol#L113
Recommended Mitigation Steps
Use the
latestRoundDatafunction to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplet.See docs for reference: https://docs.chain.link/docs/price-feeds-api-reference/
The text was updated successfully, but these errors were encountered: