Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oracle price could not be fresh #179

Closed
code423n4 opened this issue Aug 17, 2022 · 3 comments
Closed

Oracle price could not be fresh #179

code423n4 opened this issue Aug 17, 2022 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L524
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L532

Vulnerability details

Vulnerability

In FraxlendPairCore._updateExchangeRate, we are using latestRoundData, but there are no validations that the data is not stale.

The current code is:

           (, int256 _answer, , , ) = AggregatorV3Interface(oracleMultiply).latestRoundData();
            if (_answer <= 0) {
                revert OracleLTEZero(oracleMultiply);
            }

But is missing the checks to validate the data is stale:

-           (, int256 _answer, , , ) = AggregatorV3Interface(oracleMultiply).latestRoundData();
+           (uint80 round, int256 _answer, , uint256 latestTimestamp, answeredInRound) = AggregatorV3Interface(oracleMultiply).latestRoundData();
            if (_answer <= 0) {
                revert OracleLTEZero(oracleMultiply);
            }
+           require(latestTimestamp != 0, "Incomplete round");
+           require(answeredInRound >= round, "Stale price");

Note that an inaccurate price data could quickly lead to a large loss of funds.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Aug 17, 2022
code423n4 added a commit that referenced this issue Aug 17, 2022
@code423n4
0x1f8b issue #179
2bffbc0
@0xA5DF
Copy link

0xA5DF commented Aug 17, 2022

Out of scope, similar to #361

This was referenced Aug 29, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@DrakeEvans DrakeEvans added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Sep 6, 2022
@DrakeEvans
Copy link
Collaborator

Stale oracle data, and bad oracle data in general is an accepted risk of the project. It is listed in known issues as well. Out of scope

@gititGoro
Copy link
Collaborator

gititGoro commented Sep 30, 2022
edited
Loading

Oracle misconfiguration is listed as a known issue in the README and is out of scope. Presumably Frax has some infrastructure in mind to handle this.

Marking invalid.

@gititGoro gititGoro added the invalid This doesn't seem right label Sep 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gititGoro @DrakeEvans @code423n4 @0xA5DF