Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

[M-03] Lack of Negative Price Checks Due to Incorrect Operator in `ChainlinkARBOracle`

maanvad3r

Summary

The ChainlinkARBOracle contract is designed to process and validate Chainlink oracle responses. However, its current implementation only checks if the response is zero and omits potential negative values. This oversight, attributed to the use of the == operator instead of <=, can introduce inaccuracies in the deviation calculation, potentially affecting key functions like consult and consultIn18Decimals. Since chainlink price feed may potentially return negative values as stated here

Vulnerability Details

Within the ChainlinkARBOracle contract, the _badChainlinkResponse function is tasked with validating Chainlink oracle responses:

// Check for non-positive price

if (response.answer == 0) { return true; }

This approach exclusively identifies zero responses, neglecting possible negative outcomes. The implications of this narrow check are most evident in functions like _badPriceDeviation. Since the value answer is an int256 variable it might return a negative value as stated here if the price of that token drops drastically. For example, when oil futures dropped below zero.

Impact

Deviation Miscalculations: In scenarios where currentResponse.answer holds a negative value contrasting a positive prevResponse.answer, For instance, with a currentResponse.answer of -5 and a prevResponse.answer of 10, the deviation calculation in _badPriceDeviation will not yield the intended results, leading to potential miscalculations.The resulting computation may not align with the contract's expected behavior.
Inaccurate Function Outputs: The outputs of functions, specifically consult, could be compromised by such miscalculations.This might return negative price data and incorrect decimals.
Risk of Function Reverts: Functions like consultIn18Decimals, which rely on these verifications, may inadvertently revert if presented with unexpected negative price data. This poses operational risks for the contract and any other contract that are calling this function due to the fact that this function will revert when a negative value is provided as function toUint256() from SafeCast reverts it to prevent underflow/overflow.

Tools Used

Manual Code Review

Recommendations

Revise Chainlink Response Verification

To bolster the integrity of the contract, it's recommended to modify the validation in the _badChainlinkResponse function to encompass all non-positive responses:

// Suggested update to _badChainlinkResponse

if (response.answer <= 0) { return true; }

By implementing this refined check, the ChainlinkARBOracle contract can more accurately and consistently handle Chainlink oracle data, reducing the potential risks stemming from unanticipated price feed values.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink oracle answer can be negative

Very low likelihood -> evaluate the severity to LOW

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.