Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

[L-01] Inability to Update or Remove Chainlink Price Feeds

maanvad3r

Summary

The ChainlinkARBOracle contract provides a function to set Chainlink price feeds for tokens. However, once a feed is set, there's no mechanism to update or remove it. This design restricts flexibility and adaptability in changing circumstances.

Vulnerability Details

The addTokenPriceFeed function in the ChainlinkARBOracle contract allows the owner to set a Chainlink price feed for a specific token. The function checks if a feed for the given token is already set and reverts if it is. This means, post the initial setting, the feed cannot be modified or removed.

if (feeds[token] != address(0)) revert Errors.TokenPriceFeedAlreadySet();

This limitation can be problematic if the set feed becomes unreliable, is deprecated, or if there's a need to switch to a different, more reliable source.

Impact

Inflexibility: The contract might become stuck with outdated or unreliable data sources.
Need for Contract Redeployment: If a feed needs an update, the entire contract might need redeployment, leading to potential migration challenges.
Redundant Data: Without the ability to remove, deprecated tokens' data remain in the contract, leading to inefficiencies.

Tools Used

Manual Review

Recommendations

To address the above concerns, it is recommended:

Implementing an Update Function: This function will allow the contract owner to update the feed for a given token. Here's a potential implementation:

function updateTokenPriceFeed(address token, address newFeed) external onlyOwner {

require(token != address(0), "ZeroAddressNotAllowed");

require(newFeed != address(0), "ZeroAddressNotAllowed");

require(feeds[token] != address(0), "TokenPriceFeedNotSet");

feeds[token] = newFeed;

}

Implementing a Removal Function: This function will allow the owner to remove a feed for a token, setting its address back to the zero address:

function removeTokenPriceFeed(address token) external onlyOwner {

require(token != address(0), "ZeroAddressNotAllowed");

require(feeds[token] != address(0), "TokenPriceFeedNotSet");

delete feeds[token];

}

By introducing these functions, the contract will be more adaptive and future-proof, reducing the need for potentially disruptive contract redeployments.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink price feed can not be updated

Impact: High Likelihood: Low

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.