Skip to content

Latest commit

 

History

History
32 lines (26 loc) · 1.23 KB

045.md

File metadata and controls

32 lines (26 loc) · 1.23 KB

Furry Rusty Monkey

Medium

Insufficient validation of Chainlink data feeds

Vulnerability Details

In the MasterPriceOracle contract, the protocol uses a ChainLink aggregator to fetch the latestRoundData(),

// Get the eth price 
(, int256 price_, , , ) = oracle.latestRoundData();

however, these calls to oracle::latestRoundData lack the necessary validation for Chainlink data feeds to ensure that the protocol does not ingest stale or incorrect pricing data that could indicate a faulty feed.

Impact

This discrepancy could have the protocol produce incorrect values for fetched asset prices

Code Snippet

https://github.com/sherlock-audit/2024-11-autonomint/blob/main/Blockchain/Blockchian/contracts/oracles/MasterPriceOracle.sol#L83

Tool Used

Manual Review

Recommendation

Consider adding missing checks for stale data:

-       (, int256 price_, , , ) = oracle.latestRoundData();
+        (uint80 RoundID, int256 Answer,, uint256 Timestamp, uint80 AnsweredInRound) =
+            oracle.latestRoundData();
+        require(AnsweredInRound >= RoundID, "Stale price!");
+        require(Timestamp != 0, "Round not complete!");
+        require(block.timestamp - Timestamp <= VALID_TIME_PERIOD);