Inverse Finance contest - Wawrdog's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 123/127

Findings: 1

Award: $0.38

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Inverse Finance

Findings Information

🌟 Selected for report: rbserver

Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives

Awards

0.385 USDC - $0.38

Labels

bug

2 (Med Risk)

satisfactory

duplicate-584

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L78-L105 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L112-L144 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L6

Vulnerability details

Impact

The Chainlink functions latestAnswer() is deprecated. Instead, use the latestRoundData() and getRoundData() functions.

Proof of Concept

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L6 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L78-L105 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L112-L144

Visit https://etherscan.io/address/0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419#code, expand 'latestAnswer()' function to find deprecation notice:

"overridden function to add the checkAccess() modifier#[deprecated] Use latestRoundData instead. This does not error if no answer has been reached, it will simply return 0. Either wait to point to an already answered Aggregator or use the recommended latestRoundData instead which includes better verification information."

Tools Used

IDE

Recommended Mitigation Steps

Update two functions and interface to utilise recommended function 'latestRoundData' instead

#0 - neumoxx
2022-10-31T08:48:58Z

Duplicate of #601

#1 - c4-judge
2022-11-05T17:50:28Z

0xean marked the issue as duplicate

#2 - Simon-Busch
2022-12-05T15:26:33Z

Issue marked as satisfactory as requested by 0xean

#3 - c4-judge
2022-12-07T08:14:14Z

Simon-Busch marked the issue as duplicate of #584

Inverse Finance contest - Wawrdog's results

Rethink the way you borrow.

General Information

Findings Distribution

Researcher Performance

External Links

[M-17] Use of deprecated Chainlink function - latestAnswer() - $0.38

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - neumoxx2022-10-31T08:48:58Z

#1 - c4-judge2022-11-05T17:50:28Z

#2 - Simon-Busch2022-12-05T15:26:33Z

#3 - c4-judge2022-12-07T08:14:14Z

#0 - neumoxx
2022-10-31T08:48:58Z

#1 - c4-judge
2022-11-05T17:50:28Z

#2 - Simon-Busch
2022-12-05T15:26:33Z

#3 - c4-judge
2022-12-07T08:14:14Z