Skip to content

Latest commit

 

History

History
54 lines (32 loc) · 1.28 KB

032.md

File metadata and controls

54 lines (32 loc) · 1.28 KB

Mammoth Tangerine Gerbil

Medium

Chainlink - Use latestRoundData instead of latestAnswer to run more validations

Summary

https://github.com/sherlock-audit/2024-11-oku/blob/e844037b3fcd8288efe10a2f1cf43e62bad7b4e1/oku-custom-order-types/contracts/oracle/External/OracleRelay.sol#L18-L23

OracleRelay.sol is is calling latestAnswer to get the last price. This method will return the last value, but you won't be able to check if the data is fresh. On the other hand, calling the method latestRoundData allow you to run some extra validations

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Stale price may result in wrong swaps which will cause to loss of funds.

Also the latestAnswer method is depracated by chainlink and may not work in the future.

PoC

No response

Mitigation

Consider using latestRoundData() with the following additional checks:

( roundId, rawPrice, , updateTime, answeredInRound ) = aggregator.latestRoundData(); require(rawPrice > 0, "Chainlink price <= 0"); require(updateTime != 0, "Incomplete round"); require(answeredInRound >= roundId, "Stale price");