Submission Details
Severity:
[M-2] Multiple checks missing in `i_priceFeed.latestRoundData()` for chainlink oracle
Description:
getTotalMeowllateralInAave() and getUserVaultMeowllateralInEuros() use Chainlink oracle receiving the latestRoundData().
However, if Chainlink has a problem starting a new round and finding consensus on the new value for the oracle, the returned price can be stale or incorrect data (if oracles are unable to submit, no new round is started).
Impact:
Incorrect price feed values will lead to incorrect collateral calculation, thus giving out the wrong amount of shares.
Recommended Mitigation:
Add the following check to wherever chainlink price feeds are fetched:
function getTotalMeowllateralInAave() public view returns (uint256) {
(uint256 totalCollateralBase, , , , , ) = i_aavePool.getUserAccountData(address(this));
(uint80 roundId, int256 collateralToUsdPrice, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) = i_priceFeed.latestRoundData
if (roundID == 0 || collateralToUsdPrice<= 0 || updatedAt > block.timestamp || block.timestamp > MAX_STALENESS_TIME + updatedAt) revert InvalidPrice();
return totalCollateralBase.mulDiv(PRECISION, uint256(collateralToUsdPrice) * EXTRA_DECIMALS);
}
Updates
Lead Judging Commences
shikhar229169 about 1 year ago
Submission Judgement Published Assigned finding tags:
Stale Price from Chainlink Datafeed
Rewards breakdown
nSLOC
224This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.