ParaSpace contest - skinz's results

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/ParaSpaceOracle.sol#L130

Vulnerability details

Price can be old and can lead to wrong answer return value.

Proof of Concept

Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong answer return value. Buy with a newer price on another platform, use oracle’s stale price for arbitrage.

Recommended Mitigation Steps

Check for roundId and timestamp to validate data. Include in if loop if fallbackOracle is preferred solution for stale price. Alternatively, put extra require checks at the end of the function. price = uint256(source.latestRoundData();

require(answer != 0, Errors.ORACLE_PRICE_NOT_READY);
require(answeredInRound >= roundID, "ChainLink: Stale price");
require(timestamp > 0, "ChainLink: Round not complete");

Refer to https://docs.chain.link/docs/price-feeds-api-reference/

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/ParaSpaceOracle.sol#L128

Vulnerability details

According to Chainlink’s documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stops supporting deprecated APIs. And the old API can return stale data.

Proof of Concept

ParaSpaceOracle.sol#L128. UiIncentiveDataProvider.sol#L118, L179, L275, L342. UiPoolDataProvider.sol#L221, L232, L245.

Recommended Mitigation Steps

Use the latestRoundData function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is incomplete. https://docs.chain.link/docs/price-feeds-api-reference/