The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Staleness Checks In The `latestRoundData()` from Chainlink

ElHaj

Summary

The distributeAssets() function lacks checks for stale or zero price data from Chainlink oracles, risking inaccurate distributions and blocking liquidations.

Vulnerability Details

  • The distributeAssets() function in the LiquidationPool contract uses Chainlink's latestRoundData() to fetch the latest price data for asset distribution calculations. However, the function does not perform checks to ensure that the price data is not stale. Stale data can result from various issues, such as oracle downtime, data source errors, or network congestion.

  • Using stale data for price calculations can lead to incorrect distributions of assets to stakers, potentially causing halt of liquidation process in case zero eur/usd price return because the revert deu zero division :

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
......................................................................
uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd)
>> / uint256(priceEurUsd)
* _hundredPC / _collateralRate;

Impact

Stale price data may cause incorrect asset distributions and, if priceEurUsd is zero, could halt liquidations due to transaction reversion.

Tools Used

manual review

Recommendations

It is recommended to use Chainlink’s latestRoundData() function with
checks on the return data for example:

( uint80 roundId , int256 price , uint256 startedAt , uint256updatedAt , uint80 answeredInRound ) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
require ( answeredInRound >= roundID , " Stale price ");
require ( price > 0, " invalid price ");
require ( block . timestamp <= updatedAt + 1 hour , " Staleprice ");
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.