Chain Link Price Feeds Cannot be Updated
Summary
Price feeds for eurUsd cannot be updated in the event of the Oracle feed ceases functioning.
Vulnerability Details
A Chainlink price feed cannot be guarantied to continue functioning indefinitely. For instance, Chainlink multisigs can immediately block access to price feeds at will, so just because a price feed is working today does not mean it will continue to do so indefinitely. There could be a number of reasons for a Chainlink price feed to no longer be assessable from the same address.
Impact
In the event of the Chainlink feed no longer being available at the same address, the distributeAssets function will no longer be able to function and will revert on call. This will also eliminate any way for the contract to execute the private returnUnpurchasedNative function. Effectively crippling the contract.
Tools Used
Manual Review
Recommendations
Either include a function to update the price feed from a trusted entity/multisig, or include a function to effectively shut down the contract and perform the proper accounting necessary in the event distributeAssets and returnUnpurchasedNative are no longer callable.
Lead Judging Commences
chainlink-revert
chainlink-revert
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.