Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

BugHunter101 - using latestRoundData() and turn int to uint but does not check if answer > 0 #4

Closed
sherlock-admin opened this issue Jul 5, 2023 · 0 comments
Closed

BugHunter101 - using latestRoundData() and turn int to uint but does not check if answer > 0 #4

sherlock-admin opened this issue Jul 5, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 5, 2023
edited by github-actions bot
Loading

BugHunter101

medium

using latestRoundData() and turn int to uint but does not check if answer > 0

Summary

Using latestRoundData() and turn int to uint but does not check if answer > 0, it will cause the result is wrong

Vulnerability Detail

This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/data-feeds/price-feeds/historical-data
Related report:
code-423n4/2021-05-fairside-findings#70

And all the contract have the same problem
such Vault.vy:
https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/margin-dex/Vault.vy#L582

TrailingStopDex.vy:
https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/spot-dex/TrailingStopDex.vy#L238

https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/spot-dex/TrailingStopDex.vy#L245C1-L245C1

Impact

it will cause the result is wrong

This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/data-feeds/price-feeds/historical-data
Related report:
code-423n4/2021-05-fairside-findings#70

Code Snippet

https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/spot-dex/TrailingStopDex.vy#L238

https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/spot-dex/TrailingStopDex.vy#L245C1-L245C1

https://github.com/sherlock-audit/2023-06-unstoppable/blob/main/unstoppable-dex-audit/contracts/margin-dex/Vault.vy#L582

Tool used

Manual Review

Recommendation

Please check latestRoundData() return value such like :
sherlock-audit/2023-02-blueberry-judging#94

Duplicate of #200
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2