Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

carrot - Freshness of pricefeed not checked properly #491

Closed
sherlock-admin opened this issue Mar 28, 2023 · 0 comments
Closed

carrot - Freshness of pricefeed not checked properly #491

sherlock-admin opened this issue Mar 28, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 28, 2023

carrot

medium

Freshness of pricefeed not checked properly

Summary

Chainlink Pricefeeds are not checked for the latestTimestamp before using them. This can lead to the usage of stale pricefeeds.

Vulnerability Detail

According to the chainlink docs, one "should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it". The protocol checks for sequencer state, and for roundId, but does not check when the price was last updated. This can lead to the protocol using stale values of the price oracle which can prevent a depeg trigger, or trigger premature depegs.

Impact

Stale chainlink pricefeed values.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L273-L318

Tool used

Manual Review

Recommendation

Check the updatedAt value from the sequencer. If it is too old, revert or add some contingency.

Duplicate of #70

@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Development

No branches or pull requests

1 participant