242 matches found
Mitigation Confirmed for H-06
Fix looks good. Root issue was assume 1:1 peg for stETH. This has been fixed by getting true price of stETH from chainlink oracle. --- The text was updated successfully, but these errors were encountered: All reactions...
Mitigation Confirmed for H-06
MITIGATION IS NOT CONFIRMED MITIGATION IS NOT CONFIRMED Mitigation of H-06: Issue not mitigated Link to Issue: code-423n4/2023-03-asymmetry-findings588 Comments Issue H-06 describes the potential problems of assuming a peg of stETH to ETH. The sponsor proposed a mitigation to fetch the price of...
Mitigation Confirmed for NEW
H-02, H-05, H-06, H-08 mitigation error: No sanity check on Chainlink price feed Description and recommendation The mitigation of issues H-02, H-05, H06 and H-08 have introduced a Chainlink price feed. In all of those instances there are no sanity checks on the Chainlink return data, especially...
Tray tile characterIndex values (via PRNG) can be manipulated by miners
Lines of code Vulnerability details Impact By manipulating the ordering of transactions in blocks, miners could manipulate the characterIndex values of a Tray's tiles. This could result in miners being able to specifically select characterIndex values that they want for specific Tray tiles, rathe...
Some figures are more likely to be drawn
Lines of code Vulnerability details Description The function reconstructTicket generate the winning ticket the from the ramdom number generated by Chainlink VRF V2. The design of this function makes the occurrence of some numbers more likely than others. Impact With the current implementation and...
Lottery owner can rig the draw to win the jackpot by swapping the source
Lines of code Vulnerability details Lottery owner can rig the draw to win the jackpot by swapping the source Impact The lottery owner has the ability to swap the Random Source under certain cirumstances, and this can be exploited to set a new source contract that returns any number set by it. Thi...
Lottery owner can manipulate the RNG to favour themselves, or other certain participants
Lines of code Vulnerability details The docs state that Chainlink VRF will be used as the source of randomness, whose subscription model is described here. A call is made to Chainlink's VRFCoordinatorV2 requestRandomWords function, after which a response is sent back in the form of a call to...
Price manipulation attack
Lines of code Vulnerability details Impact The PriceFeed.sol was marked OOS but I believe this to be a valid issue. If the chainlink feed fails which is does from time to time, the Tellor price feed takes over no matter what the delta is compared to the chainlink price. This is an issue because t...
Incorrect Price-Feed Failsafe System
Lines of code https://github...
No check for active sequencer
Lines of code Vulnerability details Impact The protocol will operate at the previous stale rates. Proof of Concept Chainlink recommends that all Optimistic L2 oracles consult the Sequencer Uptime Feed to ensure that the sequencer is live before trusting the data returned by the oracle, even if...
Upgraded Q -> M from #404 [1674736594739]
Judge has assessed an item in Issue 404 as M risk. The relevant finding follows: L‑04 latestAnswer is deprecated Use latestRoundData instead so that you can tell whether the answer is stale or not. The latestAnswer function returns zero if it is unable to fetch data, which may be the case if...
Upgraded Q -> M from #472 [1674665995647]
Judge has assessed an item in Issue 472 as M risk. The relevant finding follows: L-01 CHAINLINK AGGREGATOR IS NOT SUFFICIENTLY VALIDATED AND CAN RETURN STALE ANSWER As shown below, calling the getAssetPrice function in the ParaSpaceOracle contract can execute price = uint256source.latestAnswer,...
Unchecked return price > 0 oracle
Lines of code Vulnerability details Impact In the function price, there is no check that the return price that chainlink sends is 0. uint80 roundId, int256 p, , uint256 updateTime, uint80 answeredInRound = chainlinkFeed .latestRoundData; if updateTime == 0 || answeredInRound timeout revert...
[NAZ-M1] fulfillRandomWords() Must Not Revert
Lines of code Vulnerability details Impact In the current implementation of fulfillRandomWords can revert which it is not supposed to. Proof of Concept In the Chainlink documentation it states: "If your fulfillRandomWords implementation reverts, the VRF service will not attempt to call it a secon...
Chainlink price feed is not sufficiently validated and can return stale price
Lines of code Vulnerability details Impact As mentioned by , "Prices provided by the oracle network are also compared to Chainlink's public price feeds for additional security. If prices have more than a 2% difference the transaction is reverted." The Chainlink price verification logic in the...
Lack of validation on price feeds
Lines of code Vulnerability details Impact Lack of validation on Chainlink price feeds may result in incorrectly functioning or non-functioning protocol. For example: during high volatility a price feed may be suspended or become stale; on L2 networks the sequencer might be down on L2 networks th...
Draw organizer can rig the draw to favor certain participants such as their own account.
Lines of code Vulnerability details Description In RandomDraw, the host initiates a draw using startDraw or redraw if the redraw draw expiry has passed. Actual use of Chainlink oracle is done in requestRoll: request.currentChainlinkRequestId = coordinator.requestRandomWords keyHash:...
Draw organizer can time draws so that user's have the illusion of fair random, but draw can be cancelled.
Lines of code Vulnerability details Description In RandomDraw, host can call startDraw or redraw to request a Chainlink random number, which will be used to select the winning user. They may then collect the prize NFT using winnerClaimNFT. The issue is that in the two draw functions, it is never...
TradingLibrary#verifyPrice doesn't check if data is fresh which can lead to costly downtime
Lines of code Vulnerability details Impact verifyPrice may check against stale data causing valid transactions to revert Proof of Concept if chainlinkEnabled && chainlinkFeed != address0 int256 assetChainlinkPriceInt = IPricechainlinkFeed.latestAnswer; if assetChainlinkPriceInt != 0 uint256...
Function fulfillRandomWords in VRFNFTRandomDraw contract must not revert
Lines of code Vulnerability details The VRFNFTRandomDraw contract implements the Chainlink VFR feature to pull random data to select the raffle winner. As per their security guidelines the implementation of the fulfillRandomWords function must not revert. Impact If the fulfillRandomWords function...