Insufficient Validation that could lead to incorrect price validation and protocol instability
Summary
The _check function does not fully validate the Chainlink price feed data, such as checking for negative prices or ensuring the feed is not stale.
Vulnerability Details
this vulnerability can be found in the lines of code below;
-
The Chainlink price feed returns a negative price due to a bug or manipulation.
-
The
_checkfunction does not handle negative prices, leading to incorrect validation. -
Example:
(, int chainLinkPrice, , uint256 updatedAt, ) = AggregatorV2V3Interface(dataFeed[token]).latestRoundData();
require(updatedAt > block.timestamp - maxTimeWindow[token], "stale price feed");If
chainLinkPriceis negative, the validation will fail silently.
Impact
Insufficient validation could lead to incorrect price validation and protocol instability
Tools Used
Deepseek
Recommendations
Add checks for negative prices in the
_checkfunction.Ensure the price feed is not stale by validating the
updatedAttimestamp.Implement additional validation mechanisms to ensure data accuracy.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.