DeFiHardhat
35,000 USDC
View results
Submission Details
Severity: low
Invalid

Chainlinks oracle feeds are not configurable

Summary

That a chainlink oracle works does not mean it will be supported by chainlink in the future and keeps working, and it could also be possible that the address of the price feed changes. Therefore, it does not make sense to make the price feed addresses constant.

Vulnerability Details

In LibEthUsdOracle, the ETH/USD Chainlink Oracle is a constant variable:

address constant ETH_USD_CHAINLINK_PRICE_AGGREGATOR =
0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419;

In LibWstethEthOracle, the wstETH/ETH Chainlink Oracle is a constant variable:

address constant WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR =
0x86392dC19c0b719886221c78AB11eb8Cf5c52812;

Therefore, if chainlink changes ETH/USD or wstETH/ETH price feeds in future, the LibEthUsdOracle and LibWstethEthOracle will return wrong prices.

Impact

It is not possible to update the addresses of price feeds which are no longer supported by chainlink. This can lead to a complete DoS for the whole protocol.

Tools Used

Manual Review

Recommendations

Consider providing functions to update the chainlink price feeds.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Chainlink feed configuration

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.