21 matches found
The price update timestamp doesn't get checked, allowing for the use of stale prices
Lines of code Vulnerability details Impact It allows for the use of stale prices in cases where they will either damage the protocol or the user. Proof of Concept The protocol has a price oracle system where the price gets updated by an account with a privileged role by calling updatePrice...
Chainlink's latestRoundData might return stale or incorrect results
Lines of code Vulnerability details Impact The getPORFeedData function in the contract StaderOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID, resulting in stale prices. The oracle wrapper calls out to a...
Upgraded Q -> 3 from #88 [1679874647648]
Judge has assessed an item in Issue 88 as 3 risk. The relevant finding follows: L-2 Invalid and stale prices from Synthethix are not validated --- The text was updated successfully, but these errors were encountered: All reactions...
[NAZ-M2] Lack of Price Freshness Check In Oracle.sol#latestRoundData() Allows A Stale Price To Be Used
Lines of code Vulnerability details Impact Oracle.sol should use the updatedAt value from the Oracle.sollatestRoundData function to make sure that the latest answer is recent enough to be used. Proof of Concept In the current implementation of Oracle.sollatestRoundData, there is no freshness chec...
Chainlink's latestRoundData might return stale or incorrect results
Lines of code Vulnerability details Impact On Controller.sol and in PegOracle.sol we are using latestRoundData, but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation: Proof of Concept Tools Used Visual Inspection...
No Return Data Checks on Chainlink's latestRoundData() Might Return Stale Prices
Lines of code Vulnerability details Impact The updateExchangeRate function of FraxlendPairCore contract gets price using chainlink latestRoundData function. However it lacks the check on the return data and this might lead to stale prices. Proof of Concept ./FraxlendPairCore.sol:524: , int256...
Chainlink's latestRoundData might return stale or incorrect results
Lines of code Vulnerability details Impact Chainlink's latestRoundData might return stale or incorrect results Proof of Concept According to Chainlink documentation, there must be a check for stale prices. It's a link of the same issue. Tools Used Solidity Visual Developer of VSCode Recommended...
CHAINLINK’S LATESTROUNDDATA MIGHT RETURN STALE OR INCORRECT RESULTS
Lines of code Vulnerability details Impact This could lead to stale prices according to the Chainlink documentation: Proof of Concept On JBChainlinkV3PriceFeed.sol, we are using latestRoundData, but there is no check if the return value indicates stale data. function currentPriceuint256 decimals...
Oracle Prices Could Be Stale Or Manipulated due to latestAnswer() call
Lines of code Vulnerability details Impact In calls to the Chainlink oracle, the deprecated API function latestAnswer is used. This approach is vulnerable to price manipulation and stale prices according to the Chainlink documentation. This vulnerability was marked as Medium severity in the...
GUniLPOracle can provide stale prices
Lines of code Vulnerability details As stale price is determined by assetUpdatedAt, which is the time since last timestamp, the price that is most recent, but wasn't updated for more than threshold, will be rejected, which makes system unavailable in such a case. In the same time real stale price...
Insufficient oracle data feed validation
Lines of code Vulnerability details Impact Stale prices can lead to the incorrect valuation of assets Proof of Concept The code does not check the other data returned from latestRoundData which must be used to ensure that the data is not stale and that the price is valid File:...
Oracle Prices Used Could Be Stale Or Manipulated due to latestAnswer() call
Lines of code Vulnerability details Impact In the various calls to the Chainlink oracle, the deprecated API function latestAnswer is used. This approach is vulnerable to price manipulation and stale prices according to the Chainlink documentation. This vulnerability was marked as Medium severity ...
[WP-H3] money-market-contracts/oracle#feed_prices() delayed transaction may disrupt price feeds
Lines of code Vulnerability details The implementation only takes two attributes: asset and price. And the lastupdatedtime of the record will always be set to the current block.time. This makes it possible for the price feeds to be disrupted when the network is congested, or the endpoint is down...
Cvx3CrvOracle does not check that Chainlink data is fresh.
Handle TomFrenchBlockchain Vulnerability details Impact Usage of stale prices when querying chainlink oracles. Proof of Concept Cvx3CrvOracle queries chainlink oracles for the prices of DAI, USDC and USDT, however it doesn't require that the response is fresh by checking which round the answer wa...
Chainlink's latestRoundData might return stale results
Handle WatchPug Vulnerability details function peek bytes6 base, bytes6 quote, uint256 baseAmount private view returns uint256 quoteAmount, uint256 updateTime require base == ethId && quote == cvx3CrvId || base == cvx3CrvId && quote == ethId, "Invalid quote or base" ; , int256 daiPrice, , , =...
SHOULD CHECK RETURN DATA FROM CHAINLINK AGGREGATORS
Handle defsec Vulnerability details Impact The latestRoundData function in the contract PriceFeed.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID. Stale prices could put funds at risk. According to Chainlink's...
ChainLink price data could be stale
Handle cmichel Vulnerability details There is no check in ChainlinkAdapterEth.getPrice if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation: under current notifications: "if answeredInRound roundId could indicate stale data." under...
OracleManagerChainlink price data could be stale
Handle cmichel Vulnerability details There is no check in OracleManagerChainlink.getLatestPrice if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation: under current notifications: "if answeredInRound roundId could indicate stale data."...
OracleManagerEthKillerChainlink price data could be stale
Handle cmichel Vulnerability details There is no check in OracleManagerEthKillerChainlink.getLatestPrice if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation: under current notifications: "if answeredInRound roundId could indicate stal...
OracleManagerEthVsBtc price data could be stale
Handle cmichel Vulnerability details There is no check in OracleManagerEthVsBtc.getLatestPrice if the return values indicate stale data. This could lead to stale prices according to the Chainlink documentation: under current notifications: "if answeredInRound roundId could indicate stale data."...