Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Molend Protocol>Medium findings>Using deprecated Chainlink function
GeneralOverview
Findings
Medium (2)Owner set for implementation instead of proxyUsing deprecated Chainlink function
Low (1)
Informational (1)
DiscussionRounding issue in Aave poolStable-rate mode borrowing vulnerability in Aave pools
Threat ModelWhat are threat models?ChainlinkSourcesRegistry.sol
Audit ResultsSummary
Category: Coding Mistakes

Using deprecated Chainlink function

Medium Severity
Medium Impact
Low Likelihood

Description

In the UiPoolDataProvider contract, The function getReservesData() is used to return the list of aggregated reserves data. This uses latestAnswer() to get the Chainlink oracle price.

function getReservesData(ILendingPoolAddressesProvider provider)
  public
  view
  override
  returns (AggregatedReserveData[] memory, BaseCurrencyInfo memory)
{
  // ...
  BaseCurrencyInfo memory baseCurrencyInfo;
  baseCurrencyInfo.networkBaseTokenPriceInUsd = networkBaseTokenPriceInUsdProxyAggregator
    .latestAnswer();
  baseCurrencyInfo.networkBaseTokenPriceDecimals = networkBaseTokenPriceInUsdProxyAggregator
    .decimals();

  try oracle.BASE_CURRENCY_UNIT() returns (uint256 baseCurrencyUnit) {
    baseCurrencyInfo.marketReferenceCurrencyUnit = baseCurrencyUnit;
    baseCurrencyInfo.marketReferenceCurrencyPriceInUsd = int256(baseCurrencyUnit);
  } catch (
    bytes memory /*lowLevelData*/
  ) {
    baseCurrencyInfo.marketReferenceCurrencyUnit = ETH_CURRENCY_UNIT;
    baseCurrencyInfo
      .marketReferenceCurrencyPriceInUsd = marketReferenceCurrencyPriceInUsdProxyAggregator
      .latestAnswer();
  }

  return (reservesData, baseCurrencyInfo);
}

According to Chainlink's documentation, the latestAnswer() function is deprecated. This function does not revert if no answer was reached and will return zero. As this function provides the last recorded value, it does not offer any additional data to verify the returned data such as update time, round, and raw price.

Impact

If the function latestAnswer() fails to get the price, it will return zero. In this case, the protocol that uses UiPoolDataProvider is not working as expected.

Recommendations

Use latestRoundData and getRoundData to get the price instead of latestAnswer. It is advised in Chainlink's documentation.

Both latestRoundData and getRoundData provide additional data to verify that the returned data is not stale or invalid.

Remediation

Molend Labs provided the following response:

We are using a pyth-chainlink adaptor to provide token prices from pyth, so the latestAnswer() function is actually pointing to a pyth oracle thus it won't be affected by chainlink's deprecation.

Zellic © 2024Back to top ↑