This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
dacian - Calls to Oracles don't check for stale prices #31
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Comments
github-actions
bot
added
Medium
This was referenced Jun 5, 2023
Closed
This was referenced Jun 5, 2023
This was referenced Jun 22, 2023
Madalad - Oracles will return the wrong price for asset if underlying aggregator hits minAnswer
#871
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
dacian
medium
Calls to Oracles don't check for stale prices
Summary
Calls to Oracles don't check for stale prices.
Vulnerability Detail
None of the oracle calls check for stale prices, for example StableOracleDAI.getPriceUSD():
Impact
Oracle price feeds can become stale due to a variety of reasons. Using a stale price will result in incorrect calculations in most of the key functionality of USSD & USSDRebalancer contracts.
Code Snippet
StableOracleDAI.getPriceUSD()
StableOracleWBGL.getPriceUSD()
StableOracleWBTC.getPriceUSD()
StableOracleWETH.getPriceUSD()
Tool used
Manual Review
Recommendation
Read the
updatedAtparameter from the calls tolatestRoundData()and verify that it isn't older than a set amount, eg:The text was updated successfully, but these errors were encountered: