Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 90/127
Findings: 2
Award: $24.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 8olidity, BClabs, CertoraInc, Chom, Franfran, Lambda, RaoulSchaffranek, Ruhum, codexploder, cryptphi, eierina, joestakey, kaden, neumo, pashov, rvierdiiev, sorrynotsorry
24.2165 USDC - $24.22
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L121
function setFeed(address token, IChainlinkFeed feed, uint8 tokenDecimals) public onlyOperator { feeds[token] = FeedData(feed, tokenDecimals); }
There is no restriction on tokenDecimals. If the sum of tokenDecimals and feedDecimals is greater than 36, it will overflow and cause the oracle function to fail
uint8 decimals = 36 - feedDecimals - tokenDecimals;
// src/test/FiRMTest.sol oracle.setFeed(address(WETH), IChainlinkFeed(address(ethFeed)), 19); // @audit 18 -> 19
forge
Limit the size of tokenDecimals
#0 - c4-judge
2022-11-04T23:47:44Z
0xean marked the issue as duplicate
#1 - Simon-Busch
2022-12-05T15:13:36Z
Marked satisfactory as requested by @0xean
#2 - c4-judge
2022-12-06T00:03:50Z
0xean changed the severity to 2 (Med Risk)
#3 - c4-judge
2022-12-07T08:18:20Z
Simon-Busch marked the issue as duplicate of #533
🌟 Selected for report: rbserver
Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives
0.385 USDC - $0.38
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L82
The contract uses Chainlink’s deprecated API latestAnswer(). Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs.
Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to be redeployed.
See similar Low-severity finding L11 from OpenZeppelin's Audit of Opyn Gamma Protocol: https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
This was a Medium-severity finding even in the previous version of WildCredit contest as well: code-423n4/2021-07-wildcredit-findings#75 where it was reported that "latestAnswer method will return the last value, but you won’t be able to check if the data is fresh. On the other hand, calling the method latestRoundData allow you to run some extra validations”
See https://docs.chain.link/docs/deprecated-aggregatorinterface-api-reference/#latestanswer.
interface IChainlinkFeed { function decimals() external view returns (uint8); function latestAnswer() external view returns (uint); }
calling the method latestRoundData allow you to run some extra validations
#0 - neumoxx
2022-10-31T08:46:52Z
Duplicate of #601
#1 - c4-judge
2022-11-05T17:55:46Z
0xean marked the issue as duplicate
#2 - Simon-Busch
2022-12-05T15:23:09Z
Issue marked as satisfactory as requested by 0xean
#3 - c4-judge
2022-12-07T08:14:13Z
Simon-Busch marked the issue as duplicate of #584