Omniscia Tangible Audit

GoldOracleTangibleV2 Manual Review Findings

GoldOracleTangibleV2 Manual Review Findings

Description:

The referenced invocation of latestRoundData is insecure as it does not properly sanitize the result of the oracle call.

Impact:

Currently, a misbehaving Chainlink oracle will not be detected by the Tangible protocol causing it to consume incorrect or outdated / stale price points for the assets it is querying.

Example:

contracts/priceOracles/GoldOracleTangibleV2.sol
90(, int256 price, , , ) = priceFeed.latestRoundData();

Recommendation:

We advise the code to be updated, enforcing proper sanitization measure(s) to the external Chainlink oracle call.

The data point of interest the latestRoundData function yields is the updatedAt timestamp. The desire is to enforce a particular "heartbeat" of data validity that ensures the updatedAt value satisfies the time threshold imposed by the Tangible protocol. We should note that Chainlink imposes different heartbeats for different asset types and as such the time limit that should be imposed needs to be sensible based on the Tangible protocol's needs and the idle-time threshold Chainlink has set for each particular data feed.

As an alternative, we advise an administrative manual "pause" mechanism to be introduced, preventing price measurements from the GoldOracleTangibleV2::_latestAnswer method to be utilized. This will permit the Tangible team to be able to quickly react in case of abnormal market events such as that of the LUNA price crash.

Alleviation (2ad448279d9e8e4b6edd94bcd2eb22129b6f7357):

A time-based check was introduced ensuring that the price has been reported at least within the past day, preventing outdated / stale Chainlink data from being consumed.

As such, we consider this restriction sufficient in the context of the Tangible team's use case.