Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should check return data from Chainlink aggregators #70

Open
code423n4 opened this issue May 27, 2021 · 2 comments
Open

Should check return data from Chainlink aggregators #70

code423n4 opened this issue May 27, 2021 · 2 comments
Labels
2 (Med Risk) bug Something isn't working resolved sponsor confirmed

Comments

@code423n4
Copy link
Contributor

Handle

shw

Vulnerability details

Impact

The getEtherPrice function in the contract FSDNetwork fetches the ETH price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID nor timeStamp, resulting in stale prices.

Proof of Concept

Referenced code:
FSDNetwork.sol#L376-L381

Recommended Mitigation Steps

Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example:

(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = ETH_CHAINLINK.latestRoundData();
require(answeredInRound >= roundID, "...");
require(timeStamp != 0, "...");
@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels May 27, 2021
code423n4 added a commit that referenced this issue May 27, 2021
@code423n4
shw issue #70
8519a9a
This was referenced May 30, 2021
Closed
Closed
Closed
@fairside-core
Copy link
Collaborator

Fixed in PR#7.

@cemozerr
Copy link
Collaborator

cemozerr commented Jun 8, 2021

Labeling this as medium risk as stale ether price could put funds at risk.

@code423n4 code423n4 mentioned this issue Oct 27, 2021
Open
@sherlock-admin sherlock-admin mentioned this issue Nov 4, 2022
Closed
@kitty-the-kat kitty-the-kat mentioned this issue Jan 11, 2023
Open
@github-actions github-actions bot mentioned this issue Mar 1, 2023
Open
@sherlock-admin sherlock-admin mentioned this issue May 15, 2023
Closed
This was referenced May 23, 2023
Closed
Closed
Closed
@code423n4 code423n4 mentioned this issue Jun 5, 2023
Closed
This was referenced Jun 11, 2023
Closed
Closed
This was referenced Jun 29, 2023
Closed
Closed
Closed
Closed
Closed
Closed
@code423n4 code423n4 mentioned this issue Jul 22, 2023
Closed
This was referenced Aug 5, 2023
Closed
Open
@code423n4 code423n4 mentioned this issue Aug 7, 2023
Closed
@c4-bot-5 c4-bot-5 mentioned this issue Jan 25, 2024
Closed
@c4-bot-9 c4-bot-9 mentioned this issue Mar 16, 2024
Closed
@sherlock-admin2 sherlock-admin2 mentioned this issue Mar 20, 2024
Closed
@sherlock-admin2 sherlock-admin2 mentioned this issue Jun 4, 2024
Closed
@c4-judge c4-judge mentioned this issue Jun 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) bug Something isn't working resolved sponsor confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cemozerr @fairside-core @code423n4