The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`latestRoundData()` has no check for round completeness

nmirchev8

Summary

No check for round completeness could lead to stale prices and wrong price return value, or outdated price. The functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss.

Vulnerability Details

Inside LiquidityPool::distributeAssets there are two call to chainlink prize feeds, which doesn't check the result, which is advisable according to chainlink docs The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, the oracle could fall behind or otherwise fail to be maintained, resulting in outdated data being fed to the index price calculations. Oracle reliance has historically resulted in crippled on-chain systems, and complications that lead to these outcomes can arise from things as simple as network congestion.

Impact

This could lead to stale prices and wrong price return value, or outdated price.
As a result, the functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss. The impacts vary and depends on the specific situation like the following:

Tools Used

Manual Review

Recommendations

Validate data feed for round completeness:

(

uint80 roundID,

int price,

/*uint startedAt*/,

uint timeStamp,

uint80 answeredInRound

) = _priceFeed.latestRoundData();

//check for Chainlink oracle deviancies, force a revert if any are present. Helps prevent a LUNA like issue

require(price > 0, "Negative Oracle Price");

require(timeStamp >= block.timestamp - HEARTBEAT_TIME , "Stale pricefeed");

require(answeredInRound >= roundID, "round not complete");

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

Chainlink-price

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.