simon135 - no checking round data stale and decimals

Question

simon135 - no checking round data stale and decimals

Closed this issue 2 years ago · 5 comments

sherlock-admin commented 2 years ago

simon135

medium

no checking round data stale and decimals

Summary

no checking round data stale and decimals

Vulnerability Detail

If chainlink goes down and there is stale pricing of tokens the protocol can be hacked and loss funds

Impact

can cause loss of funds like if chainlike prices get stale and the decrease of the price of eth is not recorded the protocol will be rewarding eth long users profit when they are not getting profit.

Code Snippet

            (
                ,
                /* uint80 roundID */
                int256 _price,
                ,
                ,

            ) = /* uint256 startedAt */
                /* uint256 timestamp */
                /* uint80 answeredInRound */
                priceFeed.latestRoundData();

Tool used

Manual Review

Recommendation

require(answeredInRound >= roundID, "Chainlink:: Stale price")
require(timestamp > 0, "Chainlink:: Round not complete")

Answer 1 · 2023-04-03T19:46:23.000Z

Escalate for 10 USDC
because this issue deals with stale round-data and not validating stale pricing/timestamp, so it's dup of #174

Answer 2 · 2023-04-03T19:46:25.000Z

Escalate for 10 USDC
because this issue deals with stale round-data and not validating stale pricing/timestamp, so it's dup of #174

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Answer 3 · 2023-04-06T10:47:31.000Z

Chainlink oracles now use OCR which has a single transmitter and round checks no longer provide any useful information. While this submission and #174 both point to the same function call, they deal with the processing of different information. This issue does not mention anything at all about old timestamps, and #174 doesn't mention anything at all amout round info, so they are not duplicates

Answer 4 · 2023-04-11T07:17:39.000Z

Escalation rejected

Not a duplicate of #174
As shown in the comments check for answeredInRound is no longer necessary since the price is returned in a single transaction, the issue also does not provide valid information to consider it a duplicate.

Answer 5 · 2023-04-11T07:17:42.000Z

Escalation rejected

Not a duplicate of #174
As shown in the comments check for answeredInRound is no longer necessary since the price is returned in a single transaction, the issue also does not provide valid information to consider it a duplicate.

This issue's escalations have been rejected!

Watsons who escalated this issue will have their escalation amount deducted from their next payout.