Description
Lines of code
https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/oracles/EthOracle.sol#L31
Vulnerability details
Description
Chainlink's multisigs can immediately block access to price feeds at will. Therefore, to prevent denial of service scenarios, it is recommended to query Chainlink price feeds using a defensive approach with Solidity’s try/catch structure. In this way, if the call to the price feed fails, the caller contract is still in control and can handle any errors safely and explicitly.
Refer to https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles/ for more information regarding potential risks to account for when relying on external price feed providers.
function getLatestPrice() public view override returns (IOracle.Price memory price) {
@--> (, int256 answer, uint256 startedAt, uint256 updatedAt,) = _ethPriceFeed.latestRoundData();
if ( answer<= 0 ) revert InvalidPriceFromOracle();
if ( startedAt ==0 || updatedAt == 0 ) revert InvalidPriceUpdatedAt();
price.price = uint256(answer);
price.lastUpdate = updatedAt;
}Similar past issues
- Unhandled chainlink revert would lock all price oracle access 2022-07-juicebox-findings#59
- obront - If a token's oracle goes down or price falls to zero, liquidations will be frozen sherlock-audit/2023-02-blueberry-judging#161
Tools Used
Manual review
Recommended Mitigation Steps
Surround the call to latestRoundData() with try/catch instead of calling it directly and provide a graceful alternative/exit.
Assessed type
Other