Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

No way to update price feed address can cause user funds to be locked & lost

t0x1c

Summary

Protocol has no way of updating priceFeedAddresses for given tokens, once assigned in the constructor.

Vulnerability Details

If the Chainlink address for a particular TOKEN/USD price feed changes tomorrow, the protocol has no way of updating this address. Something like the below should exist:

function updatePriceFeedAddressForToken(address token, address chainlinkPriceFeed)

external

isAllowedToken(token)

onlyOwner {

//.....

}

It should also have a time-lock (or delay) feature so that other users receive a heads-up that a priceFeedAddress update is going to happen in next few days. This avoids malicious use of the function by the owner.

In cases where the current price feed has not gone non-functional, and the above update is being done by the owner only to move to a better oracle, users can choose to redeem collateral during this 'delay' period.

Impact

If price feed address for any token in the protocol is changed by Chainlink, user funds are forever locked and lost.

Tools Used

Manual review

Recommendations

Add an updatePriceFeedAddressForToken function.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.