use of deprecated chainlink latestAnswer can return stale data #278
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-655
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L574
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/TradingExtension.sol#L98
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/TradingExtension.sol#L172-L180
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/utils/TradingLibrary.sol#L113
Vulnerability details
Impact
latestAnswer
in ChainLink Api is deprecated according to chainlink docs https://docs.chain.link/data-feeds/price-feeds/ .This might return stale data or returns 0 in the event of an error. If it returns stale data,verifyPrice
might fail due to difference in price or succeed even though the fresh price from chainlink is not within the tolerance of the other oracle price. If it returns 0, no checks are done and the other oracle gets to dictate the price.Proof of Concept
limitClose
in Trading.sol is the function that is affected by this. Order of calling is limitClose -> _limitClose -> getVerifiedPrice -> verifyPrice.Tools Used
Manual Review
Recommended Mitigation Steps
Consider using the latestRoundData to get price
The text was updated successfully, but these errors were encountered: