The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Some calls to Oracles don't check for stale prices

00xSEV

Summary

Some calls to Oracles don't check for stale prices.

Vulnerability Details

Some of the oracle calls do not check for stale prices:
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L207

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();

https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L218

(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();

Oracle price feeds can become stale due to a variety of reasons.
These prices are used to calculate costInEuros during the liquidation. Which is used to calculate _portion, which is used to save rewards amount. Stale prices will lead to higher amount of Euros burned or to too much rewards.

Impact

Too much euros will be burned during liquidation or too much rewards will be given to a stacker which is essentially loss of funds

Tools Used

Manual review

Recommended Mitigation Steps

Consider checking when the price was updated, compare it with feed's heartbeat

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.