Submission Details
Severity:
Immutable Chainlink Price Feed
Description
In ChainlinkOracle, the price feed is set as immutable in the constructor:
AggregatorV3Interface internal immutable priceFeed;
constructor(address _chainlinkFeed) {
require(_chainlinkFeed != address(0), "INVADDR");
priceFeed = AggregatorV3Interface(_chainlinkFeed);
normalizationFactor = 18 - priceFeed.decimals();
}
This means the price feed address cannot be updated if Chainlink deprecates or changes the feed address. While immutability can provide security benefits, it creates a significant risk if Chainlink needs to upgrade or deprecate a price feed, as there would be no way to update to the new feed address.
Vulnerable Code
AggregatorV3Interface internal immutable priceFeed;
Recommended Fix
Consider implementing an upgradeable pattern for the price feed:
AggregatorV3Interface private priceFeed;
constructor(address _chainlinkFeed) {
_updatePriceFeed(_chainlinkFeed);
}
function _updatePriceFeed(address _newFeed) internal {
require(_newFeed != address(0), "INVADDR");
priceFeed = AggregatorV3Interface(_newFeed);
normalizationFactor = 18 - priceFeed.decimals();
emit PriceFeedUpdated(_newFeed);
}
function updatePriceFeed(address _newFeed) external onlyOwner {
_updatePriceFeed(_newFeed);
}
Updates
Lead Judging Commences
n0kto 7 months ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
invalid_immutable_oracles/variables
Prize pool breakdown
Total prize
49,600 OP
nSLOC
3,00017 OP / LOC
44,640
4,960
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.