USE OF DEPRECATED CHAINLINK FUNCTION LATESTANSWER #349
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-655
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/TradingLibrary.sol#L113
Vulnerability details
Impact
verifyPrice() don't work
Proof of Concept
According to Chainlink’s documentation (Deprecated API Reference, Migration Instructions, and API Reference), the latestAnswer function is deprecated. This function does not throw an error if no answer has been reached, but instead returns 0, causing an incorrect price
https://docs.chain.link/data-feeds/price-feeds/api-reference#latestanswer
Tools Used
Recommended Mitigation Steps
Recommend using the latestRoundData function to get the price instead. Also recommend adding checks on the return data with proper revert messages if the price is stale or the round is incomplete, for example:
The text was updated successfully, but these errors were encountered: