Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

w42d3n - Chainlink’s latestRoundData might return stale or incorrect results #30

Closed
sherlock-admin opened this issue Nov 4, 2022 · 4 comments
Closed

w42d3n - Chainlink’s latestRoundData might return stale or incorrect results #30

sherlock-admin opened this issue Nov 4, 2022 · 4 comments
Labels
Escalated Medium

Comments

@sherlock-admin
Copy link
Contributor

w42d3n

medium

Chainlink’s latestRoundData might return stale or incorrect results

Summary

The contract WSTETHOracle.sol calls out to a Chainlink oracle receiving the latestRoundData().

Vulnerability Detail

If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).

Impact

Stale prices that do not reflect the current market price anymore could be used which would influence the membership and cost share pricing.

References

Code Snippet

src/wsteth/WSTETHOracle.sol

L47-48:

(, int answer,, uint updatedAt,) =
        WSTETHFeed.latestRoundData();

Tool used

Manual Review

Recommendation

Recommend adding the following checks:

(, int answer,, uint updatedAt,) =
        WSTETHFeed.latestRoundData();

require(updatedAt != 0, "Incomplete round");
require(answer >= 0, "Stale price");
@w42d3n
Copy link

w42d3n commented Nov 15, 2022

Escalate for 1 USDC:
My finding was labelled Medium by 'sherlock-admin' (not by a bot) and is certainly valid.
It might have also a severe impact for the protocol and I think it should deserve a reward.

@sherlock-admin
Copy link
Contributor Author

Escalate for 1 USDC:
My finding was labelled Medium by 'sherlock-admin' (not by a bot) and is certainly valid.
It might have also a severe impact for the protocol and I think it should deserve a reward.

You've created a valid escalation for 1 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@Evert0x
Copy link
Contributor

Evert0x commented Nov 18, 2022

Escalation rejected

A freshness and incorrect check is already present https://github.com/sherlock-audit/2022-11-sentiment/blob/main/oracle-merged/src/wsteth/WSTETHOracle.sol#L50-L54

@sherlock-admin
Copy link
Contributor Author

Escalation rejected

A freshness and incorrect check is already present https://github.com/sherlock-audit/2022-11-sentiment/blob/main/oracle-merged/src/wsteth/WSTETHOracle.sol#L50-L54

This issue's escalations have been rejected!

Contestants' payouts and scores will not be updated.

Auditors who escalated this issue will have their escalation amount deducted from future payouts.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalated Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Evert0x @sherlock-admin @w42d3n