15,000 USDC
View results
Submission Details
Severity: medium
Valid

Oracle Price Lacks Sanity Checks

Summary

Lack of sanity check on price answer
Lack of sanity check on roundId
Lack of sanity check on updatedAt

Vulnerability Details

Results from (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData(); are not sanity checked which endangers the protocol OracleLib.sol line 26

Impact

  1. Medium::: If answer is a negative value where it is consumed inside DSCEngine.sol line 347
    return (usdAmountInWei * PRECISION) / (uint256(price) * ADDITIONAL_FEED_PRECISION); It is being unsafe cast into a unit256 which results in it being a very large number which misrepresents the health factor to higher than normal. Therefore accounts that should normally be able to be liquidated are not liquidated

  2. Medium::: If updatedAt = 0 function will always revert that price is stale

  3. Medium:::If roundId is not checked we may be dealing with stale data that can result in e.g higher than normal prices which means accounts that should normally be able to be liquidated are not as they have a faulty high health factor

Tools Used

Manual Analysis

Recommendations

Inside OracleLib.sol function add the following check
if (answer < 0) revert ...;
if (roundId == 0) revert ...;
if (updatedAt == 0) revert ...;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.