Should check return data from Chainlink aggregators

Question

Should check return data from Chainlink aggregators

code423n4 opened this issue 3 years ago · 2 comments

Handle

shw

Vulnerability details

Impact

The getEtherPrice function in the contract FSDNetwork fetches the ETH price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID nor timeStamp, resulting in stale prices.

Proof of Concept

Referenced code:
FSDNetwork.sol#L376-L381

Recommended Mitigation Steps

Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example:

(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = ETH_CHAINLINK.latestRoundData();
require(answeredInRound >= roundID, "...");
require(timeStamp != 0, "...");

Answer 1 · 2021-05-30T19:45:13.000Z

Fixed in PR#7.

Answer 2 · 2021-06-08T19:42:55.000Z

Labeling this as medium risk as stale ether price could put funds at risk.