Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

minhquanym - Oracle data feed is insufficiently validated. #118

Closed
sherlock-admin opened this issue Oct 18, 2022 · 0 comments
Closed

minhquanym - Oracle data feed is insufficiently validated. #118

sherlock-admin opened this issue Oct 18, 2022 · 0 comments
Labels
Medium

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Oct 18, 2022
edited

minhquanym

medium

Oracle data feed is insufficiently validated.

Summary

Oracle data feed is insufficiently validated.
https://github.com/sherlock-audit/2022-09-knox/blob/main/knox-contracts/contracts/pricer/PricerInternal.sol#L49-L55

Vulnerability Detail

Oracle data feed is insufficiently validated. There is no check for stale price and round completeness.
Price can be stale and can lead to wrong price return value.

Impact

Price can be stale and can lead to wrong price return value.

Code Snippet

Function _latestAnswer64x64() calls latestRoundData() to get the basePrice and underlyingPrice

function _latestAnswer64x64() internal view returns (int128) {
    (, int256 basePrice, , , ) = BaseSpotOracle.latestRoundData();
    (, int256 underlyingPrice, , , ) =
        UnderlyingSpotOracle.latestRoundData();

    return ABDKMath64x64.divi(underlyingPrice, basePrice);
}

Tool used

Manual Review

Recommendation

Consider adding validation for data feed

(uint80 roundID, int256 basePrice, , uint256 timestamp, uint80 answeredInRound) = BaseSpotOracle.latestRoundData();
require(basePrice > 0, "price <= 0");
require(answeredInRound >= roundID, "stale price");
require(timestamp > 0, "round not complete");

Duplicate of #137
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin