Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Positions may be liquidated due to incorrect implementation of Oracle logic

tripathi

Summary

Steadefi checks for historical data to make sure that last price update are within maximum delya allowed and in the range of maximum % deviation allowed.

But checking the historical data is incorrect according to the chainlink docs which can damage some serious logic with in the protcol

Vulnerability Details

Vault calls ChainlinkARBOracle.consult(token) to get the fair price from chainlink oracle

File:

function consult(address token) public view whenNotPaused returns (int256, uint8) {

address _feed = feeds[token];

if (_feed == address(0)) revert Errors.NoTokenPriceFeedAvailable();

ChainlinkResponse memory chainlinkResponse = _getChainlinkResponse(_feed);

ChainlinkResponse memory prevChainlinkResponse = _getPrevChainlinkResponse(_feed, chainlinkResponse.roundId);//@audit incorrect way to get historical data

if (_chainlinkIsFrozen(chainlinkResponse, token)) revert Errors.FrozenTokenPriceFeed();

if (_chainlinkIsBroken(chainlinkResponse, prevChainlinkResponse, token)) revert Errors.BrokenTokenPriceFeed();

return (chainlinkResponse.answer, chainlinkResponse.decimals);

}

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/oracles/ChainlinkARBOracle.sol#L62

which calls an interval function _getPrevChainlinkResponse() and try to fetch previous roundId price and other details

function _getPrevChainlinkResponse(address _feed, uint80 _currentRoundId) internal view returns (ChainlinkResponse memory) {

ChainlinkResponse memory _prevChainlinkResponse;

(

uint80 _roundId,

int256 _answer,

/* uint256 _startedAt */,

uint256 _timestamp,

/* uint80 _answeredInRound */

) = AggregatorV3Interface(_feed).getRoundData(_currentRoundId - 1);

_prevChainlinkResponse.roundId = _roundId;

_prevChainlinkResponse.answer = _answer;

_prevChainlinkResponse.timestamp = _timestamp;

_prevChainlinkResponse.success = true;

return _prevChainlinkResponse;

}

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/oracles/ChainlinkARBOracle.sol#L210

But this is incorrect way of fetching historical data.
chainlink docs say: `Oracles provide periodic data updates to the aggregators. Data feeds are updated in rounds. Rounds are identified by their roundId, which increases with each new round. This increase may not be monotonic. Knowing the roundId of a previous round allows contracts to consume historical data.

The examples in this document name the aggregator roundId as aggregatorRoundId to differentiate it from the proxy roundId.` check here

so it is not mendatory that there will be valid data for currentRoundID-1.
if there is not data for currentRooundId-1 then _badPriceDeviation(currChainlinkResponse,PrevResponse) check here will return true. Hence vault won't able to get the price of token at some specific times

Impact

In worse case keeper won't able to get the price of token so rebalancing , debt repay won't be possible leading to liquidation breaking the main important factor of protocol
Almost 70% of vault action is dependent on price of a token and not getting price will make them inactive affecting net APR

Tools Used

Manual Review

Recommendations

As chainlink docs says. Increase in roundId may not be monotonic so loop through the previous roundID and fetch the previoous roundId data

pseudo code

iterate (from roundId-1 to untill we get previous first data corressponding to roundID){

if(data present for roundID){

fetch the data and return

}else{

again iterate to get the data

}

Updates

Lead Judging Commences

hans Auditor

almost 2 years ago

hans Auditor

almost 2 years ago

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink round id is not monotonic

Impact: HIGH Likelihood: Equal to how often the round id is not monotonic. https://docs.chain.link/data-feeds/historical-data#solidity

tripathi Submitter

almost 2 years ago

hans Auditor

almost 2 years ago

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink round id is not monotonic

Impact: HIGH Likelihood: Equal to how often the round id is not monotonic. https://docs.chain.link/data-feeds/historical-data#solidity

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.