You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Meta protocol relies on a Chainlink price oracle to calculate the excess income distributed to all mUSD holders.
However, the current implementation lacks checks for the staleness of the price obtained from Chainlink.
Vulnerability Details
363: (, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
364: // 1 ETH = $1000
365: // The returned value from CL will be 1000 * 1e8
366: return ((uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;
This omission can lead to issues if Chainlink starts a new round and struggles to establish consensus on the new value for the oracle. Without proper checks, consumers of this contract may continue using outdated, stale, or incorrect data if oracles are unable to submit and start a new round. Possible reasons for this could include Chainlink nodes abandoning the oracle, chain congestion, or vulnerabilities/attacks on the Chainlink system.
Additionally, it is important to check if the Arbitrum sequencer is active.
Please refer to the issue at sherlock-audit/2022-11-sentiment-judging#3 for more information.
Impact
This vulnerability is classified as MEDIUM because it affects user assets only when the Chainlink oracle is in bad status.
Tools Used
Code review
Recommendations
To address this issue, it is recommended to implement checks to ensure that the price returned by Chainlink is not stale. The following code snippet can be used to validate the price obtained from Chainlink:
Chainlink price is used without checking validity
Severity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L361
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L345C9-L346C46
Summary
The Meta protocol relies on a Chainlink price oracle to calculate the excess income distributed to all mUSD holders.
However, the current implementation lacks checks for the staleness of the price obtained from Chainlink.
Vulnerability Details
This omission can lead to issues if Chainlink starts a new round and struggles to establish consensus on the new value for the oracle. Without proper checks, consumers of this contract may continue using outdated, stale, or incorrect data if oracles are unable to submit and start a new round. Possible reasons for this could include Chainlink nodes abandoning the oracle, chain congestion, or vulnerabilities/attacks on the Chainlink system.
Additionally, it is important to check if the Arbitrum sequencer is active.
Please refer to the issue at sherlock-audit/2022-11-sentiment-judging#3 for more information.
Impact
This vulnerability is classified as MEDIUM because it affects user assets only when the Chainlink oracle is in bad status.
Tools Used
Code review
Recommendations
To address this issue, it is recommended to implement checks to ensure that the price returned by Chainlink is not stale. The following code snippet can be used to validate the price obtained from Chainlink:
The text was updated successfully, but these errors were encountered: