QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Insufficient validation of Chainlink price feeds

ayoashy

Summary

The ChainlinkOracle::_getData() implements the Chainlink price feed data without adequate validation. Though the function in question makes sure that the data value is greater than 0, however it does not check other key parameters such as, roundId and timestamp to assess accuracy and truthfulness of the oracle data.

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/ChainlinkOracle.sol#L27-L34

Impact

Because of the missing validation, the ChainlinkOracle::_getData() can be seen receiving fusty data from the oracle. This can interfere directly with the protocol’s basic features which depend on an accurate and current price for its proper functioning. The absence of validation leads to a protocol that may develop its logic and make decisions based on worthless or old information, which can cause anomalous behavior and financial discrepancies and disruption of vital processes.

Tools Used

Manual Review

Recommendations

implement the `ChainlinkOracle::_getData()` that properly validate staleness of the data

function _getData() internal view override returns (int216, uint40) {

- (, /*uint80 roundID*/ int data, , /*uint startedAt*/ uint timestamp, ) = /*uint80 answeredInRound*/

- priceFeed.latestRoundData();

+ (uint80 roundId, int data, , uint timestamp, ) = priceFeed.latestRoundData();

+ require(roundId > 0, "Invalid Round ID");

+ require(timestamp > 0 && timestamp <= block.timestamp, "Invalid Timestamp");

require(data > 0, "INVLDDATA");

data = data * int(10 ** normalizationFactor);

return (int216(data), uint40(timestamp)); // Overflow of data is extremely improbable and uint40 is large enough for timestamps for a very long time

}

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid_chainlink_staled_data_updateAt_roundId_known_issue

LightChaser: ## [Medium-4] Insufficient oracle validation

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!