DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Chainlink price feed is not sufficiently validated

inallhonesty

Summary

Chainlink price feed is not properly validated, which could lead to situations where stale prices will be deemed valid.

Vulnerability Details

The checks section from baseOracleCircuitBreaker in LibOracle.sol:

bool invalidFetchData = roundId == 0 || timeStamp == 0

|| timeStamp > block.timestamp || chainlinkPrice <= 0

|| block.timestamp > 2 hours + timeStamp;

Compares the block.timestamp with timeStamp (genereted by oracle.latestRoundData()) + 2 hours (staleness threshold).
The staleness threshold should correspond to the heartbeat of the oracle’s price feed, which in our case (ETH-USD 0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419) is 3600 seconds (1 hour).

Impact

Stale Chainlink prices could be passed down the logic tree and depending on the status of the source for the TWAP they might actually get used.

Severity is low because likelihood is extremely low even if the damage is high.

Tools Used

Manual review.

Recommendations

Use the price feed's heartbeat parameter as the staleness threshold in the baseOracleCircuitBreaker:

function baseOracleCircuitBreaker(

uint256 protocolPrice,

uint80 roundId,

int256 chainlinkPrice,

uint256 timeStamp,

uint256 chainlinkPriceInEth

) private view returns (uint256 _protocolPrice) {

bool invalidFetchData = roundId == 0 || timeStamp == 0

|| timeStamp > block.timestamp || chainlinkPrice <= 0

-- || block.timestamp > 2 hours + timeStamp;

++ || block.timestamp > 1 hours + timeStamp;

uint256 chainlinkDiff = chainlinkPriceInEth > protocolPrice

? chainlinkPriceInEth - protocolPrice

: protocolPrice - chainlinkPriceInEth;

bool priceDeviation =

protocolPrice > 0 && chainlinkDiff.div(protocolPrice) > 0.5 ether;

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.