15,000 USDC
View results
Submission Details
Severity: medium
Valid

Missing Validation on chainlink data

Summary

The DSCEngine contract relies on the chainlink price feed, however there is no validation on the result which may bring the stale price.

Vulnerability Details

The contract relies on the following code for the price purpose:

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

However not all return value have been checked that answer should larger than 0

Impact

May bring invalid price when

Tools Used

Manual

Recommendations

Adding validation to avoid unexpected data

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.