242 matches found
Missing circuit breaker checks in ethPerCvx() for Chainlink's price feed
Lines of code Vulnerability details Bug Description The ethPerCvx function relies on a Chainlink oracle to fetch the CVX / ETH price: VotiumStrategyCore.solL158-L169 try chainlinkCvxEthFeed.latestRoundData returns uint80 roundId, int256 answer, uint256 / startedAt /, uint256 updatedAt, uint80 /...
Users can deposit() even when Chainlink's price feed for CVX is stale
Lines of code Vulnerability details Bug Description In VotiumStrategy.sol, the price of vAfEth is determined by the price function: VotiumStrategy.solL31-L33 function price external view override returns uint256 return cvxPerVotium ethPerCvxfalse / 1e18; As seen from above, it calls ethPerCVX wit...
Stale cvx price can be used while depositing
Lines of code Vulnerability details Impact Stale cvx price can be used while depositing Proof of Concept When user deposits, then price of afEth token is calculated. It's needed to know how many tokens user will receieve. This price consists of safEth price and vEth price. This is how price is...
Assumptions are currently made that prices would forever be positive
Lines of code Vulnerability details Impact Neglecting the potential for negative asset prices can lead to inaccurate value representation in the Liquidity Pool, possibly affecting calculations related to assets and tokens. It's crucial to note that the value of an asset, even if negative in the...
Price Manipulation Through Vulnerability in simulateRange Function
Lines of code Vulnerability details Impact The simulateRange function, although designed for simulation and testing purposes, could potentially be exploited in a sandwich attack scenario. A malicious actor could front-run a user's transaction by using a flash loan to manipulate the price,...
Calculating slippage from price oracle is not accurate
Lines of code Vulnerability details Impact calculating slippage using oracle prices will lead to inaccurate slippage values , due to this swaps will fail or execute with higher slippage. Proof of Concept In curveSwap function of RdpxV2Core contract slippage is being calculated using oracles price...
Check for the L2 Sequencer's uptime when calling the Chainlink feed is not implemented
Lines of code Vulnerability details Impact The getAnswer function in the LPOracle and OracleConvert contracts has a vulnerability that does not include a check for the Sequencer's uptime when calling the Chainlink feed CLTOKENA, CLTOKENB. In Layer 2 L2 systems, the Chainlink oracle may return an...
Risk of Incorrect Collateral Pricing in Case of Aggregator Reaching minAnswer
Lines of code Vulnerability details Impact Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the...
Potential Stale Data Due to Inadequate Round Validation
Lines of code Vulnerability details Impact Even tough the dev is checking if the data is stale or not some valid prices could still be considered as invalid because of this line: answeredInRound == roundId, sometimes the answeredInRound might be greater than roundId and would still be valid but i...
the getChainlinkPrice() function calling the latestRoundData without using the try/catch to avoid bad possible scenario
Lines of code Vulnerability details Impact Call to latestRoundData could potentially revert and make it impossible to query any prices. the getChainlinkPrice function should use try/catch to avoid the case of the getChainlinkPrice function revert and cause dos/block the system. Proof of Concept t...
the check for the roundId == answeredInRound should be set to >= in the ChainlinkCompositeOracle.sol#getPriceAndDecimals
Lines of code Vulnerability details Impact the function getPriceAndDecimals have check that it check if the round id is equal to the answer in round ID. this check should be change to = because some roundID may get the data/answers in the round that is more than the roundId and this case is...
Potential Exploitation due to Lack of Price Range Checks in Oracle Implementation
Lines of code Vulnerability details Impact Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value i.e. LUNA crash the price of the oracle will continue to return the...
Chainlink's latestRoundData might return stale or incorrect results
Lines of code Vulnerability details Impact Chainlink's latestRoundData is used but there is no check if the return value indicates stale data. This could return stale price data for the underlying asset. Proof of Concept getChainlinkPrice function uses Chainlink's latestRoundData to get the lates...
Missing check of how recent the price is can lead to stale price being used in the protocol
Lines of code Vulnerability details Impact In the ChainlinkOracle.sol file, in the function getChainlinkPriceAggregatorV3Interface feed, there is the check requireupdatedAt != 0, "Round is in incompleted state";. However, there is no check to see that the price is recent and acceptable. If there ...
missing check for the max/min price in the chainlinkOracle.sol contract
Lines of code Vulnerability details Impact the chainlinkOracle.sol contract specially the getChainlinkPrice function using the aggregator v2 and v3 to get/call the latestRoundData. the function should check for the min and max amount return to prevent some case happen, something like this: if cas...
DENIAL OF SERVICE COULD OCCUR IF CHAINLINK PRICE FEEDS ARE BLOCKED
Lines of code Vulnerability details Impact Protocol’s usability becomes very limited when access to Chainlink oracle data feed is blocked The LibOracle.readChainlinkFeed function calls the feed.latestRoundData on the chain link price feed to calculate the quotePrice and retrun it to the...
IF RETURNED DECIMAL VALUE IS ZERO, IT COULD BREAK THE FUNCTIONING OF THE PROTOCOL
Lines of code Vulnerability details Impact The LibOracle.readChainlinkFeed function is used to calculate the quotePrice for a collateral using the chainlink price feeds. The function uses the values received via the multiple arrays in the LibOracle.read function. One such array is the...
Chainlink's latestRoundData might return stale or incorrect results
Lines of code Vulnerability details Impact The getPORFeedData function in the contract StaderOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID, resulting in stale prices. The oracle wrapper calls out to a...
Mitigation Confirmed for Mitigation of H-06: Issue mitigated with error
Mitigated issue H-06: WstEth derivative assumes a 1=1 peg of stETH to ETH. The issue was that WstEth.withdraw and WstEth.ethPerDerivative assume a perfect peg between stETH and ETH, which may cause the slippage to be inaccurately evaluated. Mitigation review The issue has been mitigated by using...
Chainlink price feed responses are not validated
NEW ISSUE - MITIGATION IS NOT CONFIRMED NEW ISSUE - MITIGATION IS NOT CONFIRMED adriro-NEW-H-02 Chainlink price feed responses are not validated Link to changesets: Impact The protocol team introduced Chainlink price feeds for the Reth and WstEth derivatives in order to mitigate price manipulatio...