Back to Ruhum's contests

bunker.finance contest - Ruhum's results

The easiest way to borrow against your NFTs.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $50,000 USDC

Total HM: 4

Participants: 46

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 117

League: ETH

bunker.finance

Findings Distribution

Researcher Performance

Rank: 15/46

Findings: 1

Award: $298.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings Repositorybunker.finance

Findings Information

🌟 Selected for report: cccz

Also found by: 0x1f8b, 0xNazgul, GimelSec, IllIllI, Ruhum, hake, kebabsec, oyc_109, sorrynotsorry, throttle, tintin

Labels

bug
duplicate
2 (Med Risk)

Awards

298.5767 USDC - $298.58

External Links

Link to GitHub issue

Lines of code

https://github.com/bunkerfinance/bunker-protocol/blob/main/contracts/PriceOracleImplementation.sol#L29

Vulnerability details

Impact

The Chainlink oracle latestAnswer() function is deprecated. Instead, you're supposed to use latestRoundData().

Using deprecated functions can result in the PriceOracleImplementation not returning the correct value anymore. It will affect the availability of that module.

Proof of Concept

Usage of latestAnswer(): https://github.com/bunkerfinance/bunker-protocol/blob/main/contracts/PriceOracleImplementation.sol#L29

You can find the deprecation notice in the used contract itself: https://etherscan.io/address/0x986b5E1e1755e3C2440e960477f25201B0a8bbD4#code#L142

Tools Used

none

Use latestRoundData() and verify its return values properly, e.g. that the price was updated recently.

#0 - bunkerfinance-dev

2022-05-07T21:59:12Z

Duplicate of #1

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter