The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The implementation of the Chainlink data feed is incorrect

0x9527

Summary

Protocol use latestRoundData to get the current price of specific token in USD. However not check if the data is fresh especially on the side chain.
Per to chainlink document:
https://docs.chain.link/data-feeds/getting-started

If you are using Chainlink Data Feeds on L2 networks like Arbitrum, Optimism, and Metis, you must also check the latest answer from the L2 Sequencer Uptime Feed to ensure that the data is accurate in the event of an L2 sequencer outage

Vulnerability Details

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L250#L241
In the function distributeAssets protocol get the current price in USD without check data.

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();

Impact

Returning an incorrect price, such as 0, can result in the protocol losing funds

Tools Used

manury

Recommendations

-(,int256 priceEurUsd,,,) = AggregatorV3Interface(eurUsd).latestRoundData();
+(uint256 roundId,int256 priceEurUsd,,uint256 updatetime,uint256 answerInRound) = AggregatorV3Interface(eurUsd).latestRoundData();
+require(priceEurUsd>0);
+require(answerInRound>=roundId);
+require(updatetime!=0);

check if the sequencer is down example:
https://docs.chain.link/data-feeds/l2-sequencer-feeds#example-code

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.