'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden USDO Express Smart Contract Audit Contest`AssetRegistery::_getFreshPrice` Uses deprecated `answerInRound`
Target
https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd
Vulnerability Details
Summary
The AssetRegistry::_getFreshPrice function implements stale price checks using the deprecated answeredInRound parameter from Chainlink's latestRoundData() function. According to Chainlink's official documentation, this parameter is no longer maintained and should not be used for validation purposes.
Description
The _getFreshPrice function retrieves price data from Chainlink price feeds and performs several validation checks to ensure data quality:
function _getFreshPrice(address priceFeed) internal view returns (uint256 price, uint8 decimals) {
(uint80 roundId, int256 answer, , uint256 updatedAt, uint80 answeredInRound) = IPriceFeed(priceFeed)
.latestRoundData();
if (answer <= 0) revert AssetRegistryInvalidPrice(answer);
if (block.timestamp - updatedAt > maxStalePeriod) {
revert AssetRegistryStalePriceData(updatedAt, block.timestamp, maxStalePeriod);
}
// Check for incomplete round data
@> if (answeredInRound < roundId) {
revert AssetRegistryStalePriceData(updatedAt, block.timestamp, maxStalePeriod);
}
price = uint256(answer);
decimals = IPriceFeed(priceFeed).decimals();
}
Why This Is a Problem:
According to Chainlink's official documentation, the answeredInRound parameter has been deprecated and is no longer guaranteed to be accurate or maintained.
Impact
- No Guarantee of Accuracy: The
answeredInRoundvalue may not be reliably updated or maintained by Chainlink oracles across different feeds - Inconsistent Behavior: The deprecated parameter may behave differently across various Chainlink price feeds, networks, or oracle versions
- Price Query DOS:The unreliable deprecated check may incorrectly reject valid price data, causing legitimate transactions to revert
Mitigation
- Remove the deprecated
answeredInRoundcheck entirely and rely on the robustupdatedAttimestamp validation
Validation steps
Proof Of Concept
Reference Documentation:
According to Chainlink's official API documentation for latestRoundData():
Source: https://docs.chain.link/data-feeds/api-reference#latestrounddata
The documentation explicitly states that answeredInRound is deprecated and should not be used for validation purposes. The return values section shows:
roundId: The round IDanswer: The pricestartedAt: Timestamp of when the round startedupdatedAt: Timestamp of when the round was updatedansweredInRound: Deprecated - Previously used for tracking round completion
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
