Oracle Manual Review Findings

ORA-01M: Outdated Chainlink Implementation

Description:

The Chainlink interface used by the contract is a legacy one that does not allow proper sanitization of its yielded result, such as a round threshold between the answer round and retrieval round.

Example:

Copy
10// Chainlink Feed
11interface IFeed
12{
13  function latestAnswer () external view returns (int256);
14}

Recommendation:

We strongly recommend the interface to be updated to the latest version and the proper Chainlink value sanitization checks to be enforced, avoiding data staleness.

Alleviation:

The latest version of Chainlink is now properly utilized in the codebase.

ORA-02M: Potentially Incorrect Decimal Assumption

Description:

The _calcTokenETHRate function assumes that all the answers yielded by USD feeds will have an equivalent decimal precision which is not guaranteed by Chainlink.

Example:

Copy
113function _calcTokenETHRate (address token) private view returns (uint256)
114{
115  address ethFeed = _ETHFeed[token];
116
117
118  if (ethFeed != address(0))
119  {
120    return _uintify(IFeed(ethFeed).latestAnswer());
121  }
122  else if (_USDFeed[token] != address(0))
123  {
124    return ( _uintify(IFeed(_USDFeed[token]).latestAnswer()) * _DECIMALS ) / _uintify(IFeed(_USDFeed[_WETH]).latestAnswer());
125  }
126  else
127  {
128    return _uintify(0);
129  }
130}

Recommendation:

We advise either proper decimal conversions to be enforced here by the corresponding getter functions of the Chainlink feeds or we advise a single require statement to be enforced whenever a new feed is set that ensures the decimal precision is equal to a canonical one between USD feeds.

Alleviation:

Require checks for the inclusion of the feeds has now been properly introduced ensuring that they boast exactly 18 decimals of precision if they are an ETH feed or 8 decimals of precision if they are a USD based feed.