Missing sanity checks on request-id in fulfillRequest
could allow older requests to be fulfilled and overwrite the current price data leading to inaccurate prices for the tokens.
In the documentation for Chainlink Functions, when sendRequest
is called, the current request-id is stored as s_lastRequestId
:
This request is fulfilled when fulfillRequest
is called by Chainlink:
There is this check on requestId
which checks whether it equals the s_lastRequestId
:
The check ensures that only the latest request is fulfilled, preventing outdated responses from being accepted. Since Chainlink requests are asynchronous, multiple requests can be in flight simultaneously.
Without this check, an older request could overwrite a newer response, leading to inconsistent or incorrect contract behaviour. This safeguard ensures single-request consistency. Have a look at the link below:
But in the abstract contract BaseChainlinkFunctionsOracle
which is inherited by both RAACPrimeRateOracle
and RAACHousePriceOracle
:
The above check is missing. This can lead to inconsistent price updates.
An older request could overwrite a newer response, leading to inconsistent or incorrect updates to the price of the tokens.
Manual review
As recommended by Chainlink docs, use the above check for request-id.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.