-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oracleCircuitBreaker: Not checking if price information of asset is stale #164
Comments
raymondfam marked the issue as insufficient quality report |
raymondfam marked the issue as duplicate of #4 |
See #4. |
hansfriese marked the issue as unsatisfactory: |
hansfriese marked the issue as not a duplicate |
hansfriese removed the grade |
hansfriese marked the issue as satisfactory |
I will maintain this as a primary issue since it encompasses both concerns. |
hansfriese marked the issue as selected for report |
hansfriese marked the issue as primary issue |
FYI, it should check if |
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOracle.sol#L125-L126
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOracle.sol#L60
Vulnerability details
Impact
It does not check if the Chainlink oracle data for each asset is outdated. Users may trade at the wrong price.
Proof of Concept
At
getOraclePrice
, It does not check if thetimeStamp
of asset token price oracle is in a stale. If it uses outdated price information, users will trade at the wrong price.The
oracleCircuitBreaker
function checks if the Chainlink oracle data for each asset is valid. It does not check if thetimeStamp
is in a stale too.Tools Used
Manual Review
Recommended Mitigation Steps
Set the
chainlinkStaleLimit
for each asset and check if the price information is not outdated.Assessed type
Oracle
The text was updated successfully, but these errors were encountered: