Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

ChainlinkARBOracle : Check to validate the chain link price is not sufficient

ak1

Summary

Once the chain-link price is fetched, its value is evaluated by comparing with last round values.

In one of the function _chainlinkIsBroken the chain-link answer is validated.

The validation ensures that the price should not be zero. but it does not capture the case where the price can be negative.

Vulnerability Details

The function _chainlinkIsBroken is used to validate the current round and last round chain link data by calling the function _badChainlinkResponse

The other check this function does is by validating the chain link data of last and current round by calling the function _badPriceDeviation

function _chainlinkIsBroken(

ChainlinkResponse memory currentResponse,

ChainlinkResponse memory prevResponse,

address token

) internal view returns (bool) {

return _badChainlinkResponse(currentResponse) ||

_badChainlinkResponse(prevResponse) ||

_badPriceDeviation(currentResponse, prevResponse, token);

}

when we look at the function _badChainlinkResponse, it has following checks,

function _badChainlinkResponse(ChainlinkResponse memory response) internal view returns (bool) {

// Check for response call reverted

if (!response.success) { return true; }

// Check for an invalid roundId that is 0

if (response.roundId == 0) { return true; }

// Check for an invalid timeStamp that is 0, or in the future

if (response.timestamp == 0 || response.timestamp > block.timestamp) { return true; }

// Check for non-positive price

if (response.answer == 0) { return true; } --------------------------------------->>> audit find - this check is not sufficient.

return false;

}

Impact

Using of negative price value as valid. This would lead to incorrect price in asset price calculations.

The Chainlink Data Feeds use int instead of uint because some prices can be negative, like when oil futures dropped below 0.

https://www.ig.com/en/news-and-trade-ideas/what-do-negative-oil-prices-mean--200507

Tools Used

Manual review.

Recommendations

Update the function _badChainlinkResponse as shown below.

function _badChainlinkResponse(ChainlinkResponse memory response) internal view returns (bool) {

// Check for response call reverted

if (!response.success) { return true; }

// Check for an invalid roundId that is 0

if (response.roundId == 0) { return true; }

// Check for an invalid timeStamp that is 0, or in the future

if (response.timestamp == 0 || response.timestamp > block.timestamp) { return true; }

// Check for non-positive price

if (response.answer == 0) { return true; } ------------>>> remove

if (response.answer <= 0) { return true; } ------------>>> add

return false;

}

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink oracle answer can be negative

Very low likelihood -> evaluate the severity to LOW

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.