Back to ye0lde's contests

Yield-Convex contest - ye0lde's results

Fixed-rate borrowing and lending on Ethereum

General Information

Platform: Code4rena

Start Date: 28/01/2022

Pot Size: $30,000 USDC

Total HM: 4

Participants: 22

Period: 3 days

Judge: GalloDaSballo

Total Solo HM: 2

Id: 80

League: ETH

Yield

Findings Distribution

Researcher Performance

Rank: 17/22

Findings: 2

Award: $69.12

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryYield

Findings Information

🌟 Selected for report: throttle

Also found by: 0x1f8b, TomFrenchBlockchain, WatchPug, cccz, defsec, hack3r-0m, hyh, kenzo, leastwood, sirhashalot, ye0lde

Labels

bug
duplicate
2 (Med Risk)

Awards

69.1238 USDC - $69.12

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

Oracle might return stale or incorrect results (Cvx3CrvOracle.sol)

The _peek function in the contract Cvx3CrvOracle.sol fetches the daiPrice, usdcPrice, usdtPrice from a Chainlink aggregator using the latestRoundData function. If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data.

Proof of Concept

https://github.com/code-423n4/2022-01-yield/blob/e946f40239b33812e54fafc700eb2298df1a2579/contracts/Cvx3CrvOracle.sol#L110-L127

        (, int256 daiPrice, , , ) = DAI.latestRoundData();
        (, int256 usdcPrice, , , ) = USDC.latestRoundData();
        (, int256 usdtPrice, , , ) = USDT.latestRoundData();


        require(
            daiPrice > 0 && usdcPrice > 0 && usdtPrice > 0,
            "Chainlink pricefeed reporting 0"
        );

Tools Used

Visual Studio Code, Remix

I suggest the following changes including moving the calls to latestRoundData into a new function. Replace lines 120-127 with:

         (int256 daiPrice, int256 usdcPrice, int256 usdtPrice) = getPrices();

and add the getPrices function:

    function getPrices(
    ) private view returns (int256, int256, int256) {

        (uint80 daiRoundId,  int256 daiPrice,  , uint256 daiUpdateTime,  uint80 daiAnsweredInRound ) = DAI.latestRoundData();  
        (uint80 usdcRoundId, int256 usdcPrice, , uint256 usdcUpdateTime, uint80 usdcAnsweredInRound) = USDC.latestRoundData();
        (uint80 usdtRoundId, int256 usdtPrice, , uint256 usdtUpdateTime, uint80 usdtAnsweredInRound) = USDT.latestRoundData();

        require(
            daiPrice > 0 && usdcPrice > 0 && usdtPrice > 0,
            "Chainlink pricefeed reporting 0"
        );

        require(
            daiUpdateTime != 0 && usdcUpdateTime != 0 && usdtUpdateTime != 0,
            "Chainlink pricefeed reporting incomplete round"
        );

        require(
            daiAnsweredInRound >= daiRoundId && usdcAnsweredInRound >= usdcRoundId 
            && usdtAnsweredInRound >= usdtRoundId,
            "Chainlink pricefeed reporting stale price"
        );

        return (daiPrice, usdcPrice, usdtPrice);
    }

#0 - iamsahu

2022-02-01T19:31:00Z

Duplicate of #136

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter