Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 98/106
Findings: 1
Award: $18.31
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x52, 0xNazgul, Franfran, IllIllI, Jeiwan, Lambda, RaymondFam, Rolezn, Trust, __141345__, codecustard, erictee, gzeon, hansfriese, imare, rbserver, rvierdiiev, seyni, skinz, ujamal_
18.3064 USDC - $18.31
ParaSpaceOracle uses latestAnswer in getAssetPrice. The documentation state that source could be "chainlink or other sources".
The price could be fine if it has already been validated by a source and then retrieved using source.latestAnswer(). But, if source is chainlink for which latestAnswer is deprecated it might lead to this issues:
This would lead for the protocol to stop operating and needing to be redeployed.
https://docs.chain.link/data-feeds/price-feeds/api-reference#accesscontrolledoffchainaggregator
price = uint256(source.latestAnswer());
Manual review.
I recommend using latestRoundData instead of latestAnswer with added checks of price freshness.
#0 - c4-judge
2022-12-20T17:44:20Z
dmvt marked the issue as duplicate of #5
#1 - c4-judge
2023-01-23T15:17:32Z
dmvt marked the issue as satisfactory