The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Inadequate Validation for Chainlink Oracle

krisrenzo

Description:

LiquidationPool relies on Chainlink's price feed to assess the value of assets distributed to stakers. However, these prices lack sufficient validation. There is no freshness check on the timestamp of the prices, allowing the usage of outdated prices if OCR fails to provide an update in time.

Impact:

Outdated prices result in stakers receiving incorrect valuations for liquidated assets. This leads to stakers receiving more or less than they should, impacting the overall network.

Proof of Concept:

The timestamp field is disregarded, leaving no means to verify whether the price is recent enough:

function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
consolidatePendingStakes();
@> (,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
...
if (asset.amount > 0) {
@> (,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
...
}

Tools Used:

  • Manual review

Recommended Mitigation Steps:

Introduce a configuration parameter for the staleness threshold in seconds and ensure that the fetched price falls within that time range.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.