Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

The oracle price reading of different collateral should be compatible with revert

kutu

Summary

The protocol does not isolate multiple collateral, and any error in reading the price of each collateral will cause the protocol to fail to calculate the user's collateral price, and it will not be able to carry out mint, borrow and liquidation.

Vulnerability Details

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)

public

view

returns (uint80, int256, uint256, uint256, uint80)

{

// @audit revert here

(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =

priceFeed.latestRoundData();

uint256 secondsSince = block.timestamp - updatedAt;

// @audit revert here

if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();

return (roundId, answer, startedAt, updatedAt, answeredInRound);

}

function getTokenAmountFromUsd(address token, uint256 usdAmountInWei) public view returns (uint256) {

// price of ETH (token)

// $/ETH ETH ??

// $2000 / ETH. $1000 = 0.5 ETH

AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);

(, int256 price,,,) = priceFeed.staleCheckLatestRoundData();

// ($10e18 * 1e18) / ($2000e8 * 1e10)

// @audit revert here

return (usdAmountInWei * PRECISION) / (uint256(price) * ADDITIONAL_FEED_PRECISION);

}

There are three possible problems:

The latestRoundData calls revert
The heart rate greater than 3 hours
The oracle returns the price of 0, which may occur if the current round is not fully updated

Impact

Only one oracle price reading error will shutdown the entire protocol, when the price fluctuates greatly, which will cause funds loss to users.

Tools Used

Manual review

Recommendations

If orace price is zero, revert
Use try-catch to package priceFeed.staleCheckLatestRoundData

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.