Lucene search
K

11 matches found

Code423n4
Code423n4
added 2023/08/02 12:0 a.m.8 views

Risk of Incorrect Collateral Pricing in Case of Aggregator Reaching minAnswer

Lines of code Vulnerability details Impact Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/01/25 12:0 a.m.9 views

Upgraded Q -> M from #472 [1674665995647]

Judge has assessed an item in Issue 472 as M risk. The relevant finding follows: L-01 CHAINLINK AGGREGATOR IS NOT SUFFICIENTLY VALIDATED AND CAN RETURN STALE ANSWER As shown below, calling the getAssetPrice function in the ParaSpaceOracle contract can execute price = uint256source.latestAnswer,...

7AI score
Exploits0
Code423n4
Code423n4
added 2022/05/04 12:0 a.m.11 views

Outdated Interface Implementation

Lines of code Vulnerability details Impact The Chainlink aggregator interface used by the project is outdated and does not permit the project to properly sanitize the price values it receives. Recommended Mitigation Steps The interface is to be updated according to the official Chainlink...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/04/19 12:0 a.m.11 views

Should check return data from chainlink aggregators

Lines of code Vulnerability details Impact The refreshedAssetPerBaseInUQ function in the contract ChainlinkPriceOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID nor timeStamp, resulting in stale prices. The...

6.4AI score
Exploits0
Code423n4
Code423n4
added 2022/04/12 12:0 a.m.10 views

Use of deprecated API for chainlink aggregator

Lines of code Vulnerability details Impact Price returned by oracle could be stale Proof of Concept The use of aggregator.latestAnswer is deprecated and could lead to stale data if the data wasn't recently updated. This is especially important for checking NFT prices since prices can change quick...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/02/23 12:0 a.m.15 views

Function getUnderlyingPrice in Oracle.sol does not check the price returned from chainlink aggregators

Lines of code Vulnerability details Impact The getUnderlyingPrice function in the contract Oracle.sol fetches the answer directly from a Chainlink aggregator using the latestRoundData function. There is no check if the return value is 0 or indicates stale data. This could lead to incorrect or sta...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/02/23 12:0 a.m.11 views

Functions getLatestRoundData and getRoundData do not check that the price returned from a chainlink aggregator is != 0 (Oracle.sol)

Lines of code Vulnerability details Impact The getLatestRoundData function in the contract Oracle.sol fetches the latestPrice directly from a Chainlink aggregator using the latestRoundData function. While latestPrice is checked for 0 and staleness, there is no check if the value is != 0. This cou...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2022/01/28 12:0 a.m.5 views

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

Handle defsec Vulnerability details Impact The peek function in the contract Cvx3CrvOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on timestamp, resulting in stale prices. The oracle wrapper calls out to a chainlink...

6.5AI score
Exploits0
Code423n4
Code423n4
added 2021/11/14 12:0 a.m.9 views

SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS

Handle defsec Vulnerability details Impact The consult function in the contract TwapOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on timeStamp, resulting in stale prices. The oracle wrapper calls out to a chainlink...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2021/11/09 12:0 a.m.9 views

Should a Chainlink aggregator become stuck in a stale state then TwapOracle will become irrecoverably broken

Handle TomFrench Vulnerability details Impact Inability to call consult on the TwapOracle and so calculate the exchange rate between USDV and VADER. Proof of Concept Should any of the Chainlink aggregators used by the TwapOracle becomes stuck in such a state that the check on L143-146 of...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/05/27 12:0 a.m.5 views

Should check return data from Chainlink aggregators

Handle shw Vulnerability details Impact The getEtherPrice function in the contract FSDNetwork fetches the ETH price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID nor timeStamp, resulting in stale prices. Proof of Concept Referenced code:...

6.9AI score
Exploits0
Rows per page
Query Builder