Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

0xmuxyz - Lack of validation to check whether or not the return value would be a stale price data #152

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

0xmuxyz - Lack of validation to check whether or not the return value would be a stale price data #152

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 3, 2023
edited by github-actions bot
Loading

0xmuxyz

medium

Lack of validation to check whether or not the return value would be a stale price data

Summary

Within the Oracle#getUnderlyingPrice(), the AggregatorV3Interface#latestRoundData(), which is made by the Chainlink, would be called to get the latest underlying token price data.

However, there is no validation to check whether or not the return value would be a stale price data.
This could lead to retrieving the stale prices.

Vulnerability Detail

Within the Oracle#getUnderlyingPrice(), the AggregatorV3Interface#latestRoundData(), which is made by the Chainlink, would be called to get the latest underlying token price data like this:
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L33-L35

    function getUnderlyingPrice(address underlying)
        virtual
        external
        view
        returns(int256 answer)
    {
        if (stablePrice[underlying] != 0) {
            return stablePrice[underlying];
        }
        (,answer,,,) = AggregatorV3Interface(chainLinkAggregatorMap[underlying]).latestRoundData(); /// @audit
        require(answer > 0, "Oracle.getUnderlyingPrice.non_positive");
        answer /= 100;
    }

However, there is no validation to check whether or not the return value would be a stale price data.
This could lead to retrieving the stale prices.

Here is a related-report that is previously reported:
code-423n4/2021-05-fairside-findings#70

Impact

The Oracle#getUnderlyingPrice() above would be called in the multiple functions like below:

Thus, a stale price data may be retrieved and used in these functions above.

Code Snippet

Tool used

Manual Review

Recommendation

Within the Oracle#getUnderlyingPrice(), consider adding the validations in order to check whether or not the retrieved-price via the AggregatorV3Interface#latestRoundData() would be a stale price data like this:

    function getUnderlyingPrice(address underlying)
        virtual
        external
        view
        returns(int256 answer)
    {
        if (stablePrice[underlying] != 0) {
            return stablePrice[underlying];
        }
-       (,answer,,,) = AggregatorV3Interface(chainLinkAggregatorMap[underlying]).latestRoundData();
+       (uint80 roundID, answer, uint256 timestamp, uint256 updatedAt, ) = AggregatorV3Interface(chainLinkAggregatorMap[underlying]).latestRoundData();
+       require(updatedAt >= roundID, "Stale price");
+       require(timestamp != 0,"Round not complete");
        require(answer > 0, "Oracle.getUnderlyingPrice.non_positive");
        answer /= 100;
    }

Duplicate of #18
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jul 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin