Lack of validation of latestRoundData
could lead to stale prices
#184
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-69
🤖_91_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/PriceFeed.sol#L45-L58
Vulnerability details
Impact
The PriceFeed contract could be returning outdated prices, leading to inaccurate calculations wherever the contract’s functionality is used. This could result in a loss of money for both the protocol and the users.
Proof of Concept
In order for the protocol to access the square root price of the base token in terms of the quote token, it uses
PriceFeed’s
function getSqrtPrice. Within it, a call to latestRoundData fromAggregatorV3Interface
is made in order to get the price for the specified price feed. The only validation done for the returned data is for thequoteAnswer
(in other words, the answer parameter), where the check confirms ifquoteAnswer
is greater than 0.getSqrtPrice gets called in the function getSqrtIndexPrice if there is a priceFeed address set for the pair. With no check implemented, the returned stale price is then used in PredyPool, GammaTradeMarket, PositionCalculator, and PerpMarketV1. In order of the most impact:
pairId
; as a result, there isn't much of a risk, but the wrong price is still returned.As it can be seen in the official documentation of
Chainlink Data Feeds
:If the
updatedAt
parameter isn’t properly validated, the protocol could continue to operate with stale prices as it wouldn’t be aware that there’s an issue.Tools Used
Manual Review
Recommended Mitigation Steps
For price freshness, the function getSqrtPrice should be updated as follows:
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: