Oracle Price Lacks Sanity Checks
Summary
Lack of sanity check on price answer
Lack of sanity check on roundId
Lack of sanity check on updatedAt
Vulnerability Details
Results from (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData(); are not sanity checked which endangers the protocol OracleLib.sol line 26
Impact
-
Medium::: If answer is a negative value where it is consumed inside DSCEngine.sol line 347
return (usdAmountInWei * PRECISION) / (uint256(price) * ADDITIONAL_FEED_PRECISION); It is being unsafe cast into a unit256 which results in it being a very large number which misrepresents the health factor to higher than normal. Therefore accounts that should normally be able to be liquidated are not liquidated -
Medium::: If updatedAt = 0 function will always revert that price is stale
-
Medium:::If roundId is not checked we may be dealing with stale data that can result in e.g higher than normal prices which means accounts that should normally be able to be liquidated are not as they have a faulty high health factor
Tools Used
Manual Analysis
Recommendations
Inside OracleLib.sol function add the following check
if (answer < 0) revert ...;
if (roundId == 0) revert ...;
if (updatedAt == 0) revert ...;
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.