Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

GalloDaSballo - M-01 Feed latest answer not validated (may be old, may be down) #127

Closed
sherlock-admin opened this issue Oct 18, 2022 · 0 comments
Closed

GalloDaSballo - M-01 Feed latest answer not validated (may be old, may be down) #127

sherlock-admin opened this issue Oct 18, 2022 · 0 comments
Labels
Medium

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Oct 18, 2022
edited
Loading

GalloDaSballo

medium

M-01 Feed latest answer not validated (may be old, may be down)

Summary

PricerInternal is not checking for feed answer stalenss.

https://github.com/sherlock-audit/2022-09-knox/blob/main/knox-contracts/contracts/pricer/PricerInternal.sol#L52

updatedAt field from oracle is not checked.

Vulnerability Detail

Impact

Oracle may be down, not updated due to network congestion or network attack, and without the extra check the system will accept a stale / old price at face value.

Code Snippet

Tool used

Manual Review

Recommendation

Add a check for staleness like the following:

https://github.com/GalloDaSballo/Super-Simple-Options/blob/7b817bb62be089116ff45502c370d2018d6cf62e/contracts/SuperSimpleCoveredCall.sol#L90

Duplicate of #137
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin