Chainlink oracle might return stale data #133
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
valid
Lines of code
https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBChainlinkV3PriceFeed.sol#L42
Vulnerability details
Impact
Oracle might return stale data for
_price
Proof of Concept
currentPrice
in JBChainlinkV3PriceFeed.sol.sol does not check if the data from Chainlink is fresh (https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBChainlinkV3PriceFeed.sol#L42). If there is a problem with the Chainlink oracle, this contract may be supplied with incorrect or stale data.See these previous issues for reference:
code-423n4/2021-10-mochi-findings#87
code-423n4/2022-01-yield-findings#78
Tools Used
Manual code review
Recommended Mitigation Steps
Implement checks with require stataments using roundID and answeredInRound info supplied by Chainlink to ensure the data is fresh. See the mitigation in (code-423n4/2021-10-mochi-findings#87).
The text was updated successfully, but these errors were encountered: