Description

The _getTokenPrice() function in the ChainlinkOracleAggregator contract performs an external staticcall to fetch the price of the specified token.

function _getTokenPrice(
       address token
   ) internal view returns (uint256 tokenPriceUnadjusted) {
       (bool success, bytes memory ret) = tokensInfo[token]
           .callAddress
           .staticcall(tokensInfo[token].callData);
       if (tokensInfo[token].dataSigned) {
           tokenPriceUnadjusted = uint256(abi.decode(ret, (int256)));
       } else {
           tokenPriceUnadjusted = abi.decode(ret, (uint256));
       }
   }

Impact

The return value success of the staticcall is not checked, which leads to the possibility that when success == false, the function return value tokenPriceUnadjusted could be zero. This could cause the caller function getTokenValueOfOneNativeToken to calculate the exchangeRate incorrectly, which would ultimately affect the result of exchangePrice.

This could potentially lead to unexpected bugs in the future.

Recommendations

Consider checking the value of success, or check the return value at the caller's side.

Remediation

Biconomy Labs implemented a fix for this issue in commit ca06c2a4↗.