-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent Price Data Due to Sequencer Downtime and Expired Oracle Prices #94
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-69
🤖_178_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Comments
howlbot-integration
bot
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
🤖_178_group
AI based duplicate group recommendation
bug
Something isn't working
duplicate-56
sufficient quality report
This report is of sufficient quality
labels
Jun 17, 2024
alex-ppg changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Jun 28, 2024
alex-ppg marked the issue as grade-c |
c4-judge
added
grade-c
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
labels
Jun 28, 2024
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
and removed
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Jul 4, 2024
This previously downgraded issue has been upgraded by alex-ppg |
alex-ppg marked the issue as not a duplicate |
alex-ppg marked the issue as duplicate of #69 |
c4-judge
added
duplicate-69
satisfactory
satisfies C4 submission criteria; eligible for awards
and removed
grade-c
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
labels
Jul 4, 2024
alex-ppg marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-69
🤖_178_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L18
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45
Vulnerability details
Impact
Sequencer Downtime: If the sequencer is down, the price data may be stale or incorrect, leading to inaccurate calculations and potential financial losses.
Oracle Price Expiry: Using expired price data can result in incorrect price feeds, causing potential mispricing and financial discrepancies.
Heartbeat Consistency: Inconsistent heartbeats can lead to varying data freshness, causing unreliable price feeds across different tokens.
Proof of Concept
Sequencer Downtime: Assume the sequencer is down for 10 minutes.
getSqrtPrice()
fetches data without checking sequencer status.The price data is stale, leading to incorrect price calculations
Expired Oracle Data: Using expired oracle data can lead to incorrect price calculations, which can result in financial losses and unreliable contract behavior.
Price feed A has a heartbeat of 1 minute, and price feed B has a heartbeat of 5 minutes.
getSqrtPrice() fetches data from both feeds.
The data freshness is inconsistent, leading to unreliable price calculations.
Read here
Tools Used
Manual Review
Recommended Mitigation Steps
wWhile creating a PriceFeed, ensure we have a heartbeat interval for each price feed.
Now implement a check against the heartbeat interval.
Now, to check if the sequencer is down, please follow the example in the Chainlink documentation on how to check the sequencer status: Chainlink Sequencer Status Check.
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: