DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Oracle price can be stale for assets different from `USD`

shaka

Summary

When querying the oracle price, for assets other than USD, there is no check for freshness of the price.

Vulnerability Details

In LibOracle.sol:getOraclePrice(), when asset is different than USD, oracleCircuitBreaker() is called to check the validity of both the asset/USD and ETH/USD prices. However, this function does not check the freshness of the prices, which can lead to the usage of stale prices.

From Chainlink documentation:

Your application should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it. If your application detects that the reported answer is not updated within the heartbeat or within time limits that you determine are acceptable for your application, pause operation or switch to an alternate operation mode while identifying the cause of the delay.

Impact

The incorrect asset price can be used, which can lead to many problems, including users being required to deposit more/less collateral than expected or being liquidated when they shouldn't be.

Tools Used

Manual review.

Recommendations

bool invalidFetchData = roundId == 0 || timeStamp == 0
|| timeStamp > block.timestamp || chainlinkPrice <= 0 || baseRoundId == 0
|| baseTimeStamp == 0 || baseTimeStamp > block.timestamp
- || baseChainlinkPrice <= 0;
+ || baseChainlinkPrice <= 0 || block.timestamp > 2 hours + timeStamp
+ || block.timestamp > 2 hours + baseTimeStamp;
Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Known issues
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-644

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.