The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

In `LiquidationPool:distributeAssets` chainlink Oracle can return stale prices.

0xanmol

Summary

The Chainlink Oracle can occasionally returns outdated prices, which can cause issues with the distributeAssets function.

Vulnerability Details

The distributeAssets function relies on the Chainlink asset to USD price feed to determine the value of assets. Based on this value, a certain amount of Euros is allocated to each stakeholder.

However, if there are problems with Chainlink, such as starting a new round or reaching consensus on the new oracle value (e.g. Chainlink nodes abandoning the oracle, chain congestion, vulnerabilities/attacks on the Chainlink system), the contract may continue using outdated or incorrect data. This occurs when oracles are unable to submit new rounds.

Impact

As a result, the distribution of EUROs rewards may be incorrect, and in extreme cases, it can even lead to a Denial of Service (DOS) situation if the stale price significantly exceeds the available distribution amount.

Tools Used

Manual review

Recommendations

Add the following check to insure that the data returned is correct

(roundId,int256 assetPriceUsd,,updateTime,answerInRound) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
require(assetPriiceUsd > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");

Know more about stale prices

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.