Platform: Code4rena
Start Date: 26/08/2021
Pot Size: $200,000 USDC
Total HM: 17
Participants: 11
Period: 14 days
Judge: ghoulsol
Total Solo HM: 12
Id: 23
League: ETH
Rank: 9/11
Findings: 2
Award: $544.88
🌟 Selected for report: 1
🚀 Solo Findings: 0
136.2212 NOTE - $136.22
408.6635 USDC - $408.66
a_delamo
On ExchangeRate.sol, we are using latestRoundData, but there are no validations that the data is not stale.
The current code is:
( /* uint80 */, rate, /* uint256 */, /* uint256 */, /* uint80 */ ) = AggregatorV2V3Interface(rateOracle).latestRoundData(); require(rate > 0, "ExchangeRate: invalid rate");
But is missing the checks to validate the data is stale
(roundId, rawPrice,, updatedAt, answeredInRound) = AggregatorV2V3Interface(rateOracle).latestRoundData(); require(rawPrice > 0, "Chainlink price <= 0"); require(updateTime != 0, "Incomplete round"); require(answeredInRound >= roundId, "Stale price");
More information: https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
#0 - ghoul-sol
2021-09-15T22:48:02Z
This was a tough one. I thought about it for a while and after reviewing chainlink data I end up in the conclusion that this deserves medium risk. It's not uncommon for chainlink prices to be above 1h old and in the time of big price movements, 1h price lag can significantly influence the protocol.