Potential Stale or Incorrect Data Usage from Chainlink Oracle
Summary
The distributeAssets function relies on price data fetched from the Chainlink oracle. There is a risk that the function could use stale or incorrect data if the oracle encounters issues, such as failing to start a new round or reach consensus.
Vulnerability Details
The function retrieves the latest round data from the Chainlink oracle for currency conversion rates. However, there are no checks to ensure the data's integrity. Problems with the Chainlink service, like node failure, congestion, or targeted attacks, could result in the oracle providing outdated or incorrect data, which the function would then use for critical calculations.
Impact
Using stale or incorrect oracle data can lead to miscalculated asset distributions. This can affect the contract's financial integrity and users' trust, potentially causing financial losses or exploitation of the contract.
Tools Used
Manual Review
Recommendations
Implement additional checks to validate the oracle data before it's used in calculations:
Ensure the raw price (rawPrice) is greater than zero to avoid using non-positive price values.
Check that the update time (updateTime) is not zero, confirming the round data is complete.
Confirm that the answered round ID (answeredInRound) is greater than or equal to the current round ID (roundId) to ensure the data is not stale.
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.