Early Carob Barbel - API3Oracle may return expired prices
#35
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Early Carob Barbel -
Early Carob Barbel
Medium
API3Oraclemay return expired pricesSummary
The API3 price oracle referenced by the project returns
(int224 value, uint32 timestamp), but the project only receives value as price, but ignores the reception and processing of timestamp, which may result in an expired price when obtaining prices through the API3 price oracle.The recommended way is to add
require(timestamp + 24 hours > block.timestamp), which is the recommended processing method in the API3 price oracle documentation referenced by the project. (https://docs.api3.org/dapps/integration/contract-integration.html#using-timestamp)Root Cause
In
API3Oracle.sol:79(https://github.com/sherlock-audit/2024-12-mach-finance/blob/main/contracts/src/Oracles/API3/API3Oracle.sol#L79), the reception and processing of timestamp is missingInternal Pre-conditions
Any price acquisition operation in the project may obtain expired prices, which may lead to abnormal price calculation results and cause financial losses.
External Pre-conditions
Any price acquisition operation in the project may obtain expired prices, which may lead to abnormal price calculation results and cause financial losses.
Attack Path
Any price acquisition operation in the project may obtain expired prices, which may lead to abnormal price calculation results and cause financial losses.
Impact
Any price acquisition operation in the project may obtain expired prices, which may lead to abnormal price calculation results and cause financial losses.
PoC
No response
Mitigation
Add
require(timestamp + 24 hours > block.timestamp)inAPI3Oracle::_getLatestPriceThe text was updated successfully, but these errors were encountered: