Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Cultured>Low findings>Price feed may be gamed if insufficient rounds are captured
GeneralOverview
Findings
High (2)
Low (2)VaultPriceFeed may be misconfigured, causing unexpected pricing calculationsPrice feed may be gamed if insufficient rounds are captured
DesignDescription
Audit ResultsAssessment Results
Category: Coding Mistakes

Price feed may be gamed if insufficient rounds are captured

Low Severity
Low Impact
Medium Likelihood

Description

The VaultPriceFeed ensures that the indexToken is priced accurately depending on necessary pricing mechanisms. In the case that we use the standard Chainlink-style price-feed aggregator, it is possible to game positions with no round data registered.

The primary pricing mechanism uses Chainlink-style pricing aggregators as follows:

uint80 roundId = priceFeed.latestRound();

for (uint80 i = 0; i < priceSampleSpace; i++) {
    if (roundId <= i) { break; }
    uint256 p;

    if (i == 0) {
        int256 _p = priceFeed.latestAnswer();
        require(_p > 0, "VaultPriceFeed: invalid price");
        p = uint256(_p);
    } else {
        (, int256 _p, , ,) = priceFeed.getRoundData(roundId - i);
        require(_p > 0, "VaultPriceFeed: invalid price");
        p = uint256(_p);
    }

    if (price == 0) {
        price = p;
        continue;
    }

    if (_maximise && p > price) {
        price = p;
        continue;
    }

    if (!_maximise && p < price) {
        price = p;
    }
}

In the event that the latest roundId == 0, the price will return as 0. Thus, if an indexToken is added before the price feed has time to accrue data, the position price will start at 0. A user may be able to long a position knowing the price will only ever increase.

Additionally, the default for priceSampleSpace == 3 means that roundId needs to be at least 3 in order for the maximizing or minimizing logic to succeed.

Finally, it is worth mentioning that chain reorganizations may happen between when the feed is created to when the indexToken is approved. Thus, it is essential that the index token be approved for new positions no less than the minimum block time for finality on the target chain.

Impact

If pricing mechanisms fail, the price will default to 0, which may lead to users gaming long positions.

Recommendations

Ensure that price feeds have sufficient rounds to allow for price minimums or maximums to be calculated and that these minimum rounds fall inside finalized blocks on the target chain.

Remediation

This issue has been acknowledged by Plume Network. Plume Network has stated that price feeds will have lots of rounds before trading begins.

Zellic © 2025Back to top ↑