Submission Details
Severity:
On `OracleWrapper::getData` there should be a check for returned `data`
Summary
There is no check for returned data on OracleWrapper::getData
as this function is used in many different contracts:
Vulnerability Details
/// @notice Get the data of the underlying oracle, interpretation of data depends on oracle type
/// @param data The underlying data (can be negative), normalized to 18 decimals
/// @return data Retrieved oracle data
/// @return timestamp Last update timestamp
function getData() public view returns (int216 data, uint40 timestamp) {
@> (data, timestamp) = _getData();
require(timestamp > 0, "INVORCLVAL"); // Sanity check in case oracle returns invalid values
}
Impact
the data can be Negative or zero that would likely indicate an error or an invalid price feed, and using such data could lead to incorrect calculations and unexpected behavior within the smart contract.
Tools Used
Manually reviewed
Recommendations
/// @notice Get the data of the underlying oracle, interpretation of data depends on oracle type
/// @param data The underlying data (can be negative), normalized to 18 decimals
/// @return data Retrieved oracle data
/// @return timestamp Last update timestamp
function getData() public view returns (int216 data, uint40 timestamp) {
(data, timestamp) = _getData();
+ require(data > 0, "error message");
require(timestamp > 0, "INVORCLVAL"); // Sanity check in case oracle returns invalid values
}
Prize pool breakdown
Total prize
49,600 OP
nSLOC
3,00017
OP / LOC
44,640
4,960
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.