Inverse Finance contest - tonisives's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 125/127

Findings: 1

Award: $0.38

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Inverse Finance

Findings Information

🌟 Selected for report: rbserver

Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives

Awards

0.385 USDC - $0.38

Labels

bug

2 (Med Risk)

satisfactory

duplicate-584

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol/#L82 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol/#L116

Vulnerability details

The contracts use Chainlink’s deprecated API latestAnswer(). This function might suddenly stop working if Chainlink stopped supporting deprecated APIs.

Deprecation: https://docs.chain.link/docs/data-feeds/price-feeds/api-reference/#latestanswer

Impact

Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to be redeployed.

Recommended Mitigation Steps

Use V3 interface functions: https://docs.chain.link/docs/price-feeds-api-reference/ with latestRoundData

When using that function, you can also check for stale data

(uint80 roundID, int256 answer, , uint256 timestamp, uint80 answeredInRound) = _ethOracle.latestRoundData();
require(answeredInRound >= roundID, "Stale price");
require(timestamp != 0,"Round not complete");
require(answer > 0,"Chainlink answer reporting 0");

Here you could also check the answer’s timestamp, to verify it is actually for today, and not stale data. Then you can set the correct daily low.

dailyLows[token][day] = normalizedPrice

https://docs.chain.link/docs/data-feeds/price-feeds/historical-data/#historical-rounds

#0 - neumoxx
2022-10-31T08:45:26Z

Duplicate of #601

#1 - c4-judge
2022-11-05T21:31:44Z

0xean marked the issue as duplicate

#2 - Simon-Busch
2022-12-05T15:27:27Z

Issue marked as satisfactory as requested by 0xean

#3 - c4-judge
2022-12-07T08:14:13Z

Simon-Busch marked the issue as duplicate of #584

Inverse Finance contest - tonisives's results

Rethink the way you borrow.

General Information

Findings Distribution

Researcher Performance

External Links

[M-17] Use of deprecated ChainLink API - $0.38

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Recommended Mitigation Steps

#0 - neumoxx2022-10-31T08:45:26Z

#1 - c4-judge2022-11-05T21:31:44Z

#2 - Simon-Busch2022-12-05T15:27:27Z

#3 - c4-judge2022-12-07T08:14:13Z

#0 - neumoxx
2022-10-31T08:45:26Z

#1 - c4-judge
2022-11-05T21:31:44Z

#2 - Simon-Busch
2022-12-05T15:27:27Z

#3 - c4-judge
2022-12-07T08:14:13Z