Submission Details
Severity:
improper validation of chainlink return prices before use
Summary
in KeeperProxy.sol the chainlink price returned by _check() is not properly validated (only checked for staleness) before use as price feed may return invalid prices .
Vulnerability Details
In _check()
only a check for if the pricefeed is stale is done but there is no validation done for the actual price returned this leaves room for error as the price returned maybe wrong or invalid
* @notice Checks the price difference between the given price and the Chainlink price.
* @dev Internal function to ensure the price difference is within the threshold.
* @param token The address of the token.
* @param price The price to be checked.
*/
function _check(address token, uint256 price) internal view {
// https://github.com/code-423n4/2021-06-tracer-findings/issues/145
(, int chainLinkPrice, , uint256 updatedAt, ) = AggregatorV2V3Interface(dataFeed[token]).latestRoundData();
require(updatedAt > block.timestamp - maxTimeWindow[token], "stale price feed");
uint256 decimals = 30 - IERC20Meta(token).decimals();
price = price / 10 ** (decimals - 8); // Chainlink price decimals is always 8.
require(
_absDiff(price, chainLinkPrice.toUint256()) * BPS / chainLinkPrice.toUint256() < priceDiffThreshold[token],
"price offset too big"
);
}
Impact
The wrong price may be used to execute transactions in the protocol.
Tools Used
manual review
Recommendations
The price returned by chainlink should also be checked for validity, not just staleness
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
1,91026 USDC / LOC
47,500
2,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.