Use try/catch statement while fetching the price from oracle.
Summary
Calls to Oracles could potentially revert, which may result in a complete Denial-of-Service to smart contracts which depend upon them. Chainlink multisigs can immediately block access to price feeds at will, so just because a price feed is working today does not mean it will continue to do so indefinitely.
Vulnerability Details
In below code snippet we can see function distributeAssets() calls the chainlink's V3 aggregator to fetch the price of the assets in the USD.
As we know while currently there’s no whitelisting mechanism to allow or disallow contracts from reading prices, powerful multisigs can tighten these access controls. In other words, the multisigs can immediately block access to price feeds at will. Then distributeAssets() function will cause DOS with different errors.
Impact
If multisig block the access to fetch the price of specific assets which creates the DOS.
Tools Used
Manual View
Recommendations
Use try and catch statement to handle the error while fetching the Price feeds.
Reference
https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles
Lead Judging Commences
chainlink-revert
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.