Lucene search
K

20 matches found

Code423n4
Code423n4
•added 2023/11/15 12:0 a.m.•28 views

Missing sanity checks in Chainlink response

Lines of code Vulnerability details Summary Chainlink responses from price feeds are being used without any sanity checks. Impact The ChainlinkPriceOracle contract is used to interface with the Chainlink price feeds for the different LST assets in scope in the protocol. The current implementation...

7AI score
Exploits0
Code423n4
Code423n4
•added 2023/07/07 12:0 a.m.•19 views

DENIAL OF SERVICE COULD OCCUR IF CHAINLINK PRICE FEEDS ARE BLOCKED

Lines of code Vulnerability details Impact Protocol’s usability becomes very limited when access to Chainlink oracle data feed is blocked The LibOracle.readChainlinkFeed function calls the feed.latestRoundData on the chain link price feed to calculate the quotePrice and retrun it to the...

6.6AI score
Exploits0
Code423n4
Code423n4
•added 2023/03/07 12:0 a.m.•11 views

Price manipulation attack

Lines of code Vulnerability details Impact The PriceFeed.sol was marked OOS but I believe this to be a valid issue. If the chainlink feed fails which is does from time to time, the Tellor price feed takes over no matter what the delta is compared to the chainlink price. This is an issue because t...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2023/01/20 12:0 a.m.•7 views

stRSR.seizeRSR() should check whether the basket of collateral is defaulted

Lines of code Vulnerability details Impact Backing Manager can seize RSR anytime and not within reason. RSR stakers will lose their funds. Proof of Concept Protocol states that staked RSR can be seized in the case of a collateral default, in a process that is entirely mechanistic based on on-chai...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/12/16 12:0 a.m.•12 views

Lack of validation on price feeds

Lines of code Vulnerability details Impact Lack of validation on Chainlink price feeds may result in incorrectly functioning or non-functioning protocol. For example: during high volatility a price feed may be suspended or become stale; on L2 networks the sequencer might be down on L2 networks th...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/11/10 12:0 a.m.•19 views

Chainlink USD price feeds can have more than 8 decimals

Lines of code Vulnerability details Impact Collateral value is overestimated by orders of magnitude if asset that has a chainlink oracle USD price feed with more than 8 decimals is added. A borrower can borrow much more than allowed in an EscrowedLine Proof of Concept In Oracle.sol the USD price...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/10/30 12:0 a.m.•10 views

Using deprecated Chainlink function latestAnswer could result in wrong borrowing power

Lines of code Vulnerability details Impact The Oracle contract is used to get the latest price for the users collateral tokens, but the functions getPrice and viewPrice use a deprecated Chainlink function latestAnswer to get the price of a given token as it's mentionned here, this function does n...

6.5AI score
Exploits0
Code423n4
Code423n4
•added 2022/09/19 12:0 a.m.•16 views

PegOracle reported fraction price is constructed to favor the depeg

Lines of code Vulnerability details Depeg event is defined as linked asset price being below the strike price in the terms of the underlying asset. However, the PegOracle aimed to report the fraction of the pegged asset to the underlying always reports the number below 1, no matter how prices are...

6.6AI score
Exploits0
Code423n4
Code423n4
•added 2022/09/01 12:0 a.m.•11 views

Check additional fields returned by latestRoundData to ensure price data is not stale/incorrect

Lines of code Vulnerability details Impact Not checking additional fields returned by Chainlink might cause incorrect prices being processed. Proof of Concept The only values being check from latestRoundData are price and updatedAt. File: src/modules/PRICE.sol 161: , int256 ohmEthPriceInt, ,...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/05/05 12:0 a.m.•10 views

Oracle data feed is insufficiently validated

Lines of code Vulnerability details description When using Chainlink Price feeds it is important to ensure the price feed data was updated recently. While getting started with chainlink requires just one line of code, it is best to add additional checks for in production environments. findings...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/05/03 12:0 a.m.•8 views

Chainlink pricer is using a deprecated API

Lines of code Vulnerability details Impact According to Chainlink's documentation, the latestAnswer function is deprecated. This function might suddenly stop working if Chainlink stop supporting deprecated APIs. And the old API can return stale data. Proof of Concept Tools Used None Recommended...

6.9AI score
Exploits0
Code423n4
Code423n4
•added 2022/04/21 12:0 a.m.•9 views

Missing Validations for the return values of Chainlink Price feeds

Lines of code Vulnerability details Impact You check only the answerThe price after calling the chainlink Chainlink Price feeds in the following lines. In addition, you need to check whether the data is really updated. Proof of Concept Tools Used code review Recommended Mitigation Steps Please ad...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/04/19 12:0 a.m.•15 views

Improper Validation Of Chainlink's latestRoundData Function

Lines of code Vulnerability details Impact When using Chainlink Price feeds, it is important to ensure the price feed data was updated recently. While getting started with chainlink requires just one line of code, it is best to add additional checks for "in production" environments. Here,...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/04/13 12:0 a.m.•23 views

Deprecated CHAINLINK API usage

Lines of code Vulnerability details Impact Usage of deprecated chainlink function to get collateral price. Proof of Concept The Chainlink API latestAnswer used in the FungibleAssetVaultForDAO contract is deprecated: This method returns the last value but that value cannot be fully updated. New V3...

7AI score
Exploits0
Code423n4
Code423n4
•added 2022/04/13 12:0 a.m.•12 views

Use of deprecated oracle API in _normalizeAggregatorAnswer

Lines of code Vulnerability details Use of deprecated oracle API in normalizeAggregatorAnswer Likelihood low, impact high. The Chainlink latestAnswer function included in IAggregatorV3Interface and called in NFTVaultnormalizeAggregatorAnswer is considered deprecated and no longer included in the...

6.8AI score
Exploits0
Code423n4
Code423n4
•added 2022/04/13 12:0 a.m.•7 views

Use of deprecated oracle API in _collateralPriceUsd

Lines of code Vulnerability details Likelihood low, impact high. The Chainlink latestAnswer function included in IAggregatorV3Interface and called in FungibleAssetVaultForDAOcollateralPriceUsd is considered deprecated and no longer included in the Chainlink API documentation. It's considered best...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/03/09 12:0 a.m.•14 views

[WP-H3] money-market-contracts/oracle#feed_prices() delayed transaction may disrupt price feeds

Lines of code Vulnerability details The implementation only takes two attributes: asset and price. And the lastupdatedtime of the record will always be set to the current block.time. This makes it possible for the price feeds to be disrupted when the network is congested, or the endpoint is down...

6.7AI score
Exploits0
Code423n4
Code423n4
•added 2022/01/27 12:0 a.m.•15 views

Use of deprecated Chainlink API

Handle 0x1f8b Vulnerability details Impact Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to be redeployed. Proof of Concept The contracts use Chainlink’s deprecated API latestAnswer. Such functions might suddenly stop working if Chainlink stopped...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/10/27 12:0 a.m.•9 views

MochiCSSRv0.update() Does Not Operate Correctly On Bluechip Assets

Handle leastwood Vulnerability details Impact Mochi vaults query price feeds for updates via the update function in MochiCSSRv0.sol. If the asset to be queried is a bluechip asset, the function will call getPrice on an adapter which adheres to the ICSSRAdapter interface. If the adapter is not...

7AI score
Exploits0
Code423n4
Code423n4
•added 2021/07/07 12:0 a.m.•7 views

Use of deprecated Chainlink API

Handle 0xRajeev Vulnerability details Impact The contracts use Chainlink’s deprecated API latestAnswer. Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs. Impact: Deprecated API stops working. Prices cannot be obtained. Protocol stops and contracts have to...

7AI score
Exploits0
Rows per page
Query Builder