QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Absence of timestamp validation for price freshness and incomplete oracle health checks in the `ChainlinkOracle.sol` contract

eta

Summary

According to the _getData function in the ChainlinkOracle.sol contract, its reliance on Chainlink oracles is undermined by two critical vulnerabilities: the absence of timestamp validation for price freshness and incomplete oracle health checks. These issues expose the contract to risks of using stale or invalid price data, potentially leading to financial losses, incorrect transactions, and exploitable conditions.

Vulnerability Details

1. Outdated Price Data Usage

The _getData() function retrieves price data from a Chainlink oracle without validating the returned timestamp. This omission allows the contract to use stale price data, which can lead to incorrect decision-making in time-sensitive operations.

2. Incomplete Oracle Health Check

The contract only checks that price > 0 to validate the oracle data. However, it fails to verify additional critical metadata provided by Chainlink, such as roundID and answeredInRound. Neglecting these checks may result in accepting invalid or tampered data.

pkg/pool-quantamm/contracts/ChainlinkOracle.sol

function _getData() internal view override returns (int216, uint40) {

(, /*uint80 roundID*/ int data, , /*uint startedAt*/ uint timestamp, ) = /*uint80 answeredInRound*/

priceFeed.latestRoundData(); // @audit Missing timestamp validation

require(data > 0, "INVLDDATA"); // Insufficient validation

data = data * int(10 ** normalizationFactor);

return (int216(data), uint40(timestamp));

}

Impact

Outdated Price Data Usage: Using stale data can severely impact the contract's financial calculations, potentially leading to significant financial losses, incorrect transactions, or exploitation by adversaries aware of the data's obsolescence.
Incomplete Oracle Health Check: Failing to perform comprehensive health checks increases the risk of accepting invalid or manipulated data, undermining the contract's reliability and exposing it to financial attacks or operational failures.

Tools Used

Manual Review

Recommendations

It is recommended to enforce a staleness period to ensure price data is recent before proceeding with critical operations, and verify additional metadata from the Chainlink oracle to ensure the data is valid and the oracle is healthy.

For example:

+ uint256 constant STALENESS_PERIOD = 1 hours;

+ (uint80 roundID, int256 price, , uint256 timestamp, uint80 answeredInRound) = priceFeed.latestRoundData();

+ require(answeredInRound >= roundID, "Stale price round");

+ require(roundID > 0, "Invalid round");

+ require(price > 0, "Invalid price");

+ require(block.timestamp - timestamp <= STALENESS_PERIOD, "Stale price");

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid_chainlink_staled_data_updateAt_roundId_known_issue

LightChaser: ## [Medium-4] Insufficient oracle validation

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!