Chainlinks oracle feeds are not configurable
Summary
That a chainlink oracle works does not mean it will be supported by chainlink in the future and keeps working, and it could also be possible that the address of the price feed changes. Therefore, it does not make sense to make the price feed addresses constant.
Vulnerability Details
In LibEthUsdOracle, the ETH/USD Chainlink Oracle is a constant variable:
In LibWstethEthOracle, the wstETH/ETH Chainlink Oracle is a constant variable:
Therefore, if chainlink changes ETH/USD or wstETH/ETH price feeds in future, the LibEthUsdOracle and LibWstethEthOracle will return wrong prices.
Impact
It is not possible to update the addresses of price feeds which are no longer supported by chainlink. This can lead to a complete DoS for the whole protocol.
Tools Used
Manual Review
Recommendations
Consider providing functions to update the chainlink price feeds.
Lead Judging Commences
Chainlink feed configuration
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.