The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Chainlinks oracle feeds are not immutable

chainnue

Summary

Chainlinks oracle feeds are not immutable, any feed variable should be able to be updated.

Vulnerability Details

This issue is related with https://www.codehawks.com/finding/clpcx1wls001n5ehz8ol2bxov

Just because a chainlink oracle is functioning now doesn't guarantee that chainlink will support it in the future or ensure its continued operation. Additionally, the address for the price feed might change.

File: LiquidationPool.sol
18: address private immutable eurUsd;
...
205: function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
206: consolidatePendingStakes();
207: (,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
...
241: }

this eurUsd might sometime in the future be changed, but since it's immutable, this might raise an issue

Impact

It is not possible to remove price feeds which are no longer supported by chainlink, or update the addresses of price feeds. This can lead to a complete DoS of the pool

Tools Used

Manual Review

Recommendations

Consider to make the eurUsd non-immutable, and add possibility to update it

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!