The Cyfrin protocol relies on a Chainlink price oracle to determine the token amount and the USD value. However, the current implementation does not include any checks to verify the freshness of the price fetched from the Chainlink oracle.
As we can see from the lines of code above, the staleCheckLatestRoundData()
function is called in both cases to check the Chainlink Oracle for stale data.
Although, the priceFeed
is returning the following variables:
roundId
answer
startedAt
updatedAt
answeredInRound
, these return values are also meant to be used to do some extra checks before updating the price.
The absence of proper checks in the current implementation can result in potential issues when Chainlink initiates a new round and faces challenges in reaching a consensus on the oracle's new value. If these checks are not in place, consumers of this contract may continue to utilize outdated, stale, or inaccurate data in situations where oracles fail to submit and commence a new round. Some potential reasons for this could include scenarios where Chainlink nodes abandon the oracle, chain congestion occurs, or vulnerabilities/attacks target the Chainlink system.
This vulnerability is categorized as MEDIUM since it impacts user assets solely when the Chainlink oracle is in a compromised or unreliable state.
VSCode
To rectify this problem, it is advisable to incorporate checks that guarantee the freshness of the price received from Chainlink. You can utilize the following code snippet as a reference for validating the Chainlink price:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.