15,000 USDC
View results
Submission Details
Severity: medium
Valid

Improper validation of Chainlink data

Summary

The 'staleCheckLatestRoundData'functions returns a signed integer which is forcely casted into an unsigned integer without checking that its value is positive;

Vulnerability Details

An overflow may induce unexpected behaviour both in getUsdValue and getTokenAmountFromUsd.
see : https://docs.soliditylang.org/en/latest/types.html#explicit-conversions

Impact

In the case of getUsdValue :
-the collateral value of a user would be inaccurate -> the account information would be inaccurate -> error in calculating the healthfactor which may force a user to be liquidated;
In the case of getTokenAmountFromUsd:
-the amount of redeemed collateral would be inaccurate -->user loose more money then expected.

Tools Used

Manual code review.
solidity docs.

Recommendations

verify that values are non-negative before casting them to unsigned integers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.