This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
ast3ros - [M-3] Chainlink’s latestRoundData Might Return Stale Results #338
Comments
github-actions
bot
added
Medium
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ast3ros
medium
[M-3] Chainlink’s latestRoundData Might Return Stale Results
Summary
The function does not verify the
updatedAttimestamp that is returned by the Chainlink Oracle. This creates a vulnerability that allows the protocol to use stale data from the oracle, which may not reflect the current market conditions.Vulnerability Detail
The returned updatedAt timestamp is not checked when calling
priceFeed.latestRoundData().If there is a problem with chainlink starting a new round and finding consensus on the new value for the oracle (e.g. chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale data (if oracles are unable to submit no new round is started)
Impact
The function
triggerDepegrelies on thelatestRoundDataAPI from Chainlink to determine if a depeg event has occurred. However, if the API returns a stale price that does not match the current market price, the function may fail to detect the depeg and execute the necessary actions. This can result in a loss of funds for the depositors of the premium vault, who will not be able to claim their share of thecollateralTVL.Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L296-L317
Tool used
Manual Review
Recommendation
Consider checking the oracle responses
updatedAtvalue after calling out topriceFeed.latestRoundData()verifying that the result is within an allowed margin of freshness.Duplicate of #70
The text was updated successfully, but these errors were encountered: