VAD37
medium
StableOracle follow chainlink example to get latest price from chainlink. This is valid implementation as chainlink decentralized oracle simply just hard to be down.
Apparently that is not enough for most of wardens. For security reason, everyone just spam oracle issue on every audit. So here I am listing all possible chainlink oracle issue. For some potshots.
- Chainlink is known for disabling oracle. Price might go stale. Oracle is not at latestRound. detail
- Lack of heartbeat check to ensure oracle last price is in last 24h. detail
- For stable token like DAI, USDC. Chainlink oracle might return minAnswer price instead of zero price to prevent case like LUNA UST crash again. Sample Detail
- For whatever reason, oracle price can return to zero. Detail
When several people forgot to pay electricity bill. The oracle might go boom.
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWETH.sol#L21-L26 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L21-L26 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L43-L48
Manual Review
It is only necessary to check for stale price and heartbeat in the oracle contract. The chance for chainlink oracle return minAnswer price and zero price is so low. That it might only happen with WBGL token.