Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Protocol dont check the return data from Chainlink aggregators

pks271

Summary

Protocol dont check the return data from Chainlink aggregators is stale or not.

Vulnerability Details

Protocol utilize chainlink's oracle functionality. However, it is important to note that there is currently no check in place to determine if the return value from chainlink indicates stale data. This can lead to inaccurate or outdated results if not handled properly.

Currently, there is one place where chainlink can return price data use latestRoundData function, all of them need to check the answer is stale or not, includes roundId, answer, startedAt, updatedAt and answeredInRound.

Impact

Protocol maybe use stale price data and will be sandwiched attack by MEV.

Tools Used

vscode, Manual Review

Recommendations

Add below code check the returned data:

(uint80 roundID, int256 answer, uint256 timestamp, uint256 updatedAt, ) = priceFeed.latestRoundData();

// chainlink return price check

require(updatedAt >= roundID, "Stale price");

require(timestamp != 0,"Round not complete");

require(answer > 0,"Chainlink answer reporting 0");

uint256 secondsSince = block.timestamp - updatedAt;

if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.