Phuture Finance contest - peritoflores's results

Lines of code

https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/ChainlinkPriceOracle.sol#L80-L94

Vulnerability details

Impact

Oracle can retrieve unchecked stale data

Proof of Concept

In ChainlinkpriceOracle.sol the function

function refreshedAssetPerBaseInUQ(address _asset) public override returns (uint) {
    AssetInfo storage assetInfo = assetInfoOf[_asset];

    (, int basePrice, , , ) = baseAggregator.latestRoundData();
    (, int quotePrice, , , ) = assetInfo.aggregator.latestRoundData();

    require(basePrice > 0 && quotePrice > 0, "ChainlinkPriceOracle: NEGATIVE");

    uint assetPerBaseInUQ = ((uint(basePrice) * 10**assetInfo.decimals).mulDiv(
        FixedPoint112.Q112,
        (uint(quotePrice) * 10**baseDecimals)
    ) * 10**assetInfo.answerDecimals) / 10**baseAnswerDecimals;
    assetInfo.lastAssetPerBaseInUQ = assetPerBaseInUQ;
    return assetPerBaseInUQ;
}

Is checking that baseprice and quoteprice are higher than zero. However, according to chainlink documentation you also need to check if the data retrieved is stale

Tools Used

Manual code review

Recommended Mitigation Steps

Add

(uint80 roundID, int basePrice, ,uint updatedAt, uint 80 answeredInRound ) = baseAggregator.latestRoundData();


require(
    updatedAt != 0,
    “ChainlinkPriceOracle: round is not complete”
);
require(
    answeredInRound >= roundID,
   “ChainlinkPriceOracle: stale data”
);

and the same logic for quotePrice