DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Staleness check missing in OracleCircuit Breaker

1d9f10834c

Summary

While there is staleness check for the chainlink oracle when price for base asset is being fetched, same is missing for other tokens.

Vulnerability Details

As mentioned stale check is missing, as timestamp and baseTimeStamp received from the chainlink is simply compared with current timestamp (block.timestamp).
Which will always pass, thus leaving no protection against stale price.

function oracleCircuitBreaker(
uint80 roundId,
uint80 baseRoundId,
int256 chainlinkPrice,
int256 baseChainlinkPrice,
uint256 timeStamp,
uint256 baseTimeStamp
) private view {
bool invalidFetchData = roundId == 0 || timeStamp == 0
|| timeStamp > block.timestamp || chainlinkPrice <= 0 || baseRoundId == 0
|| baseTimeStamp == 0 || baseTimeStamp > block.timestamp
|| baseChainlinkPrice <= 0;
if (invalidFetchData) revert Errors.InvalidPrice();
}

Impact

Incorrect or outdated price will be consider for orderbook matching and sorting, which has variety of adverse affect on users positions.

Tools Used

Manual review

Recommendations

Implement a staleness check as it is done in case of baseOracleCircuitBreaker

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Known issues
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-644

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.