You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
sherlock-admin opened this issue
Mar 28, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Chainlink Pricefeeds are not checked for the latestTimestamp before using them. This can lead to the usage of stale pricefeeds.
Vulnerability Detail
According to the chainlink docs, one "should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it". The protocol checks for sequencer state, and for roundId, but does not check when the price was last updated. This can lead to the protocol using stale values of the price oracle which can prevent a depeg trigger, or trigger premature depegs.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
carrot
medium
Freshness of pricefeed not checked properly
Summary
Chainlink Pricefeeds are not checked for the
latestTimestamp
before using them. This can lead to the usage of stale pricefeeds.Vulnerability Detail
According to the chainlink docs, one "should track the
latestTimestamp
variable or use theupdatedAt
value from thelatestRoundData()
function to make sure that the latest answer is recent enough for your application to use it". The protocol checks for sequencer state, and for roundId, but does not check when the price was last updated. This can lead to the protocol using stale values of the price oracle which can prevent a depeg trigger, or trigger premature depegs.Impact
Stale chainlink pricefeed values.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L273-L318
Tool used
Manual Review
Recommendation
Check the
updatedAt
value from the sequencer. If it is too old, revert or add some contingency.Duplicate of #70
The text was updated successfully, but these errors were encountered: