Skip to content

Latest commit

 

History

History
43 lines (25 loc) · 1.03 KB

043.md

File metadata and controls

43 lines (25 loc) · 1.03 KB

Fast Khaki Raccoon

Medium

Incorrect min/maxPrice checks

Summary

Incorrect min/maxPrice checks

Root Cause

ChainlinkSinglePriceOracle::_isValidAnswer() implements the following check:

if (_answer > _max || _answer < _min) {
        _isValid = false;
}

The issue is that the check is incorrect as it does not include the = sign. Also note that the min and max prices are deprecated but still available on some feeds such as DAI/USD on Arbitrum (DAI is supposed to be used as PAIRED_LP_TOKEN): https://arbiscan.io/address/0xFc06bB03a9e1D8033f87eA6A682cbd65477A43b9#readContract.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No attack path needed, min and max price checks don't work

Impact

Min and max price checks don't work properly, this can cause usage of incorrect prices

PoC

No response

Mitigation

Include the = sign, also consider reading https://rekt.news/venus-blizz-rekt/ to learn more about what could go wrong with that approach