Skip to content

Latest commit

 

History

History
54 lines (33 loc) · 1.22 KB

046.md

File metadata and controls

54 lines (33 loc) · 1.22 KB

Interesting Cedar Hare

Medium

Use latestRoundData instead of latestAnswer

Summary

we are calling latestAnswer() to get the last oracle price. This method will return the last value, but you will not be able to check if the data is fresh. On the other hand, calling the method latestRoundData() allows you to run some extra validations.

Root Cause

https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/oracle/External/OracleRelay.sol#L18

function currentValue() external view override returns (uint256) { int256 latest = aggregator.latestAnswer(); require(latest > 0, "chainlink: px < 0"); return uint256(latest); }

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

stale price may happen in currentValue.

PoC

No response

Mitigation

( roundId, rawPrice, , updateTime, answeredInRound ) = IChainlinkAdapter(_oracle).latestRoundData(); require(rawPrice > 0, "Chainlink price <= 0"); require(updateTime != 0, "Incomplete round"); require(answeredInRound >= roundId, "Stale price");