Platform: Code4rena
Start Date: 19/04/2022
Pot Size: $30,000 USDC
Total HM: 10
Participants: 43
Period: 3 days
Judges: moose-code, JasoonS
Total Solo HM: 7
Id: 90
League: ETH
Rank: 27/43
Findings: 2
Award: $83.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
22.0499 USDC - $22.05
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-84
Oracle might return stale data for basePrice and quotePrice.
refreshedAssetPerBaseInUQ in ChainlinkPriceOracle.sol does not check if the data from Chainlink is fresh (https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L83-84). If there is a problem with the Chainlink oracle, this contract may be supplied with incorrect or stale data.
See these previous issues for reference: https://github.com/code-423n4/2021-10-mochi-findings/issues/87 https://github.com/code-423n4/2022-01-yield-findings/issues/78
Manual code review, previous bug reports
Implement checks with require stataments using roundID and answeredInRound info supplied by Chainlink to ensure the data is fresh. See the mitigation in (https://github.com/code-423n4/2021-10-mochi-findings/issues/87).
#0 - olivermehr
2022-05-02T20:05:01Z
Duplicate of #1
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0xDjango, 0xkatana, Dravee, Kenshin, Tadashi, TerrierLover, abhinavmir, defsec, ellahi, fatima_naz, foobar, gzeon, hyh, joestakey, kebabsec, kenta, minhquanym, oyc_109, rayn, robee, sseefried, xpriment626, z3s
61.7413 USDC - $61.74
TYPOS
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/interfaces/IAnatomyUpdater.sol#L6 "aatomy" should be "anatomy"
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/libraries/FullMath.sol#L101 "precoditions" should be "preconditions"