ChainLink pricer is using a deprecated API #165
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-655
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/utils/TradingLibrary.sol#L113
Vulnerability details
Description
According to Chainlink’s documentation, the
latestAnswer
function is deprecated.This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data.
Proof Of Concept
https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/utils/TradingLibrary.sol#L113
Recommended Mitigation Steps
Use the
latestRoundData
function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplet.See docs for reference: https://docs.chain.link/docs/price-feeds-api-reference/
The text was updated successfully, but these errors were encountered: