15,000 USDC
View results
Submission Details
Severity: medium
Valid

Chainlink's latestRoundData return stale or incorrect result

Summary

Incorrect usage of Chainlink's latestRoundData in OracleLib can lead to wrongly price assets.

Vulnerability Details

Related report: https://github.com/code-423n4/2021-05-fairside-findings/issues/70

Impact

Incorrect pricing resulting in loss of user funds or DSC being overminted.

Tools Used

Manual.

Recommendations

It is recommended to add this checks:

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
require(updatedAt >= roundID, "Stale price");
require(timestamp != 0,"Round not complete");
require(answer > 0,"Chainlink answer reporting 0");
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.