25 matches found
First deposit of 1 Wei will block further rsETH minting
Lines of code Vulnerability details Impact If the initial deposit in the DepositPool is 1 wei of any supported token rETH, cbETH, or stETH, 1 wei of rsETH will be minted for the first depositor. However, subsequent rsETH minting will be prevented because the rsethAmountToMint will always round do...
Users could game oracle price deviation
Lines of code Vulnerability details Summary Prices returned from Chainlink oracles have different conditions to update the reported values, which can be abused by Impact Prices for the different LST assets supported in the Kelp protocol are obtained from a Chainlink oracle. The data feeds for eac...
Users can deposit() even when Chainlink's price feed for CVX is stale
Lines of code Vulnerability details Bug Description In VotiumStrategy.sol, the price of vAfEth is determined by the price function: VotiumStrategy.solL31-L33 function price external view override returns uint256 return cvxPerVotium ethPerCvxfalse / 1e18; As seen from above, it calls ethPerCVX wit...
Price Manipulation Through Vulnerability in simulateRange Function
Lines of code Vulnerability details Impact The simulateRange function, although designed for simulation and testing purposes, could potentially be exploited in a sandwich attack scenario. A malicious actor could front-run a user's transaction by using a flash loan to manipulate the price,...
Check for the L2 Sequencer's uptime when calling the Chainlink feed is not implemented
Lines of code Vulnerability details Impact The getAnswer function in the LPOracle and OracleConvert contracts has a vulnerability that does not include a check for the Sequencer's uptime when calling the Chainlink feed CLTOKENA, CLTOKENB. In Layer 2 L2 systems, the Chainlink oracle may return an...
Lottery owner can rig the draw to win the jackpot by swapping the source
Lines of code Vulnerability details Lottery owner can rig the draw to win the jackpot by swapping the source Impact The lottery owner has the ability to swap the Random Source under certain cirumstances, and this can be exploited to set a new source contract that returns any number set by it. Thi...
Dangerous casting from i256 to u256 of the price returned by the Chainlink oracle
Lines of code Vulnerability details Impact Referring to the docs, Chainlink oracles are returning the price as an int256, which means that the answer can be a negative price. Later, this price is casted as an uint256 in the case of an oracle that is set, which overflows when price 0. Any price...
Decimals of the oracle is not checked
Lines of code Vulnerability details Impact Decimals of the Chainlink oracle is not checked, it is assumed to have the same unit as BASECURRENCYUNIT but it might not always be the case. If the oracle use a different number of decimals all the price will be wrong by magnitudes. Proof of Concept...
Protocol's usability becomes very limited when access to Chainlink oracle data feed is blocked
Lines of code Vulnerability details Impact Based on the current implementation, when the protocol wants to use Chainlink oracle data feed for getting a collateral token's price, the fixed price for the token should not be set. When the fixed price is not set for the token, calling the Oracle...
PegOracle.sol#L59 : Issue with "price1" calculation.
Lines of code Vulnerability details Impact The calculated price1 could be negative or outdated one. This could affects the codes places wherever the latestRoundData is used to determine the price. one of the place is in Controller.solL261 - function getLatestPriceaddress token Proof of Concept...
No authentication for SimplePriceOracle
Lines of code Vulnerability details Impact Anyone can call setUnderlyingPrice on the SimplePriceOracle to set the oracle values. These are in turn used for the interest calculations, meaning anyone can manipulate this calculation via the Oracle. Note that SimplePriceOracle in Compound is only...
Deprecated Chainlink oracle API
Lines of code Vulnerability details Impact Deprecated Chainlink oracle API. API might stop working. Prices could be outdated. Protocol might need to be redeployed or false prices might lead to users losing funds. Proof of Concept The contracts use Chainlink’s deprecated API latestAnswer. Such...
Oracle Prices Could Be Stale Or Manipulated due to latestAnswer() call
Lines of code Vulnerability details Impact In calls to the Chainlink oracle, the deprecated API function latestAnswer is used. This approach is vulnerable to price manipulation and stale prices according to the Chainlink documentation. This vulnerability was marked as Medium severity in the...
Chainlink oracle data can be stale
Lines of code Vulnerability details Impact Oracle data can be stale which can lead to wrong calculations for balancing indexes. Proof of Concept When lastRoundData is called only price is pulled from the provided data. RoundId should be checked to ensure the data is updated. Recommended Mitigatio...
Chainlink oracle might return stale data
Lines of code Vulnerability details Impact Oracle might return stale data for basePrice and quotePrice. Proof of Concept refreshedAssetPerBaseInUQ in ChainlinkPriceOracle.sol does not check if the data from Chainlink is fresh . If there is a problem with the Chainlink oracle, this contract may be...
use of deprecated chainlink oracle method
Lines of code Vulnerability details Impact latestanswer , this method does not error if no answer has been reached, it will simply return 0, since we have checks in function requireanswer 0, "invalidoracleanswer"; we may not get the latest value of current price which can affect the functionality...
No check for stale chainlink oracle data in getUnderlyingPrice function
Lines of code Vulnerability details No check for stale chainlink oracle data in getUnderlyingPrice function Impact There is no check if the value of answer returned by chainlink latestRoundData is latest or stale. If stale price is returned, it may result in wrong calculation used in upstream...
Improper Validation Of Chainlink's latestRoundData() Function
Lines of code Vulnerability details Impact The calls to the latestRoundData function do not validate the output of the Chainlink oracle query. As a result, it is possible to use stale results when returning the TWAP price. latestRoundData is able to ensure the round is complete and has returned a...
PriceOracle Does Not Filter Price Feed Outliers
Handle leastwood Vulnerability details Impact If for whatever reason the Chainlink oracle returns a malformed price due to oracle manipulation or a malfunctioned price, the result will be passed onto users, causing unintended consequences as a result. In the same time it's possible to construct...
Newly Registered Assets Skew Consultation Results
Handle leastwood Vulnerability details Impact The TwapOracle.consult function iterates over all token pairs which belong to either VADER or USDV and then calculates the price of the respective asset by using both UniswapV2 and Chainlink price data. This helps to further protect against price...