ChainLink oracle could be using stale data #624
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-655
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
GalloDaSballo marked the issue as duplicate of #655 |
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
|
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/utils/TradingLibrary.sol#L113
Vulnerability details
Impact
ChainLink oracle could be using stale data which can cause unexpected behavior in trading and make trading susceptible to oracle attacks (flash loans etc).
Proof of Concept
In verifyPrice() the ChainLink feed should use latestRoundData() instead of latestAnswer() https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/utils/TradingLibrary.sol#L113 since latestAnswer() returns the last value but the data could be stale. Using latestRoundData() allows for checking the updateTime and answeredInRound fields for staleness validation.
Tools Used
None
Recommended Mitigation Steps
Use (roundId, price, , updateTime, answeredInRound) = IPrice(_chainlinkFeed).latestRoundData() and add latestRoundData() to IPrice interface.
The text was updated successfully, but these errors were encountered: