TradingLibrary.verifyPrice
is using a deprecated ChainLink API, which can lead to a stale price being returned.
#466
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-655
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/TradingLibrary.sol#L113
Vulnerability details
Impact
TradingLibrary.verifyPrice
is using the ChainlinklatestAnswer
function to retrieve an asset price. This function is deprecated, and does not implement any round check to ensure the price is not stale.This means
verifyPrice
might have_priceData.price
pass the checks with a stale price, ultimately leading to unhealthy trades opened or closed inTrading
.Proof of Concept
The library function
verifyPrice
calls the ChainLink API:The library function is called by
TradingExtension.getVerifyPrice
:Which is used to compute the price of assets in all the functions of
Trading
:Tools Used
Manual Review
Recommended Mitigation Steps
Use the
latestRoundData
function instead, and implement sufficient checks to ensure the price returned is valid, by checkingroundId
andansweredInRound
.The text was updated successfully, but these errors were encountered: