Foundry DeFi Stablecoin CodeHawks Audit Contest
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Unhandled Chainlink revert Would Lock Access To Oracle Price Rate

0xsmartcontract

Summary

Chainlink's latestRoundData() is used which could potentially revert and make it impossible to query any prices. This could lead to permanent denial of service.

Vulnerability Details

The staleCheckLatestRoundData() function makes use of Chainlink's latestRoundData() to get the latest price rate. However, there is no fallback logic to be executed when the access to the Chainlink data feed is denied by Chainlink's multisigs. While currently there’s no whitelisting mechanism to allow or disallow contracts from reading prices, powerful multisigs can tighten these access controls. In other words, the multisigs can immediately block access to price feeds at will.
https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles/

Impact

staleCheckLatestRoundData() could revert and cause denial of service to the protocol.

Tools Used

Manual Review

Recommendations

Use try/catch block. The logic for getting the token's price from the Chainlink data feed should be placed in the try block, while some fallback logic when the access to the chainlink oracle data feed is denied should be placed in the catch block. For example:

function staleCheckLatestRoundData(address priceFeedAddress) external view returns (int256) {
try AggregatorV3Interface(priceFeedAddress).latestRoundData() returns (
uint80, // roundID
int256 price, // price
uint256, // startedAt
uint256, // timestamp
uint80 // answeredInRound
) {
return price;
} catch Error(string memory) {
// handle failure here:
// revert, call proprietary fallback oracle, fetch from another 3rd-party oracle, etc.
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.