-
Many smart contracts use Chainlink to request off-chain pricing data, but a common error occurs when the smart contract doesn’t check whether that data is stale. Consider this stale pricing data finding from Sherlock’s USSD audit:
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
The staleness threshold should correspond to the heartbeat of the oracle’s price feed. This can be found on Chainlink’s list of Ethereum mainnet price feeds by checking the “Show More Details” box, which will show the “Heartbeat” column for each feed. For networks other than Ethereum mainnet, make sure to select your desired L1/L2 on that page before reading the data columns. More examples: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]
-
The staleness threshold should correspond to the heartbeat of the oracle’s price feed. This can be found on Chainlink’s list of Ethereum mainnet price feeds by checking the “Show More Details” box, which will show the “Heartbeat” column for each feed. For networks other than Ethereum mainnet, make sure to select your desired L1/L2 on that page before reading the data columns. More examples: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]
-
The staleness threshold should correspond to the heartbeat of the oracle’s price feed. This can be found on Chainlink’s list of Ethereum mainnet price feeds by checking the “Show More Details” box, which will show the “Heartbeat” column for each feed. For networks other than Ethereum mainnet, make sure to select your desired L1/L2 on that page before reading the data columns. More examples: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]
-
The staleness threshold should correspond to the heartbeat of the oracle’s price feed. This can be found on Chainlink’s list of Ethereum mainnet price feeds by checking the “Show More Details” box, which will show the “Heartbeat” column for each feed. For networks other than Ethereum mainnet, make sure to select your desired L1/L2 on that page before reading the data columns. More examples: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]
-
Chainlink allows smart contract developers to receive a wide variety of off-chain data, with the most commonly used features being receiving off-chain randomness and off-chain pricing data. Integrating your smart contracts with Chainlink provides a unique set of potential security vulnerabilities that attackers can exploit; here are the common vulnerabilities that smart contract developers & auditors need to look out for.
-
When using Chainlink with L2 chains like Arbitrum, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data that appears fresh - Chainlink’s official documentation provides an example implementation. Smart contract auditors should look out for missing L2 sequencer activity checks when they see price code callinglatestRoundData() in projects that are to be deployed on L2s. More examples: [1, 2, 3, 4, 5]
-
When using Chainlink with L2 chains like Arbitrum, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data that appears fresh - Chainlink’s official documentation provides an example implementation. Smart contract auditors should look out for missing L2 sequencer activity checks when they see price code callinglatestRoundData() in projects that are to be deployed on L2s. More examples: [1, 2, 3, 4, 5]
-
When using Chainlink with L2 chains like Arbitrum, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data that appears fresh - Chainlink’s official documentation provides an example implementation. Smart contract auditors should look out for missing L2 sequencer activity checks when they see price code callinglatestRoundData() in projects that are to be deployed on L2s. More examples: [1, 2, 3, 4, 5]
-
When using Chainlink with L2 chains like Arbitrum, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data that appears fresh - Chainlink’s official documentation provides an example implementation. Smart contract auditors should look out for missing L2 sequencer activity checks when they see price code callinglatestRoundData() in projects that are to be deployed on L2s. More examples: [1, 2, 3, 4, 5]
-
When using Chainlink with L2 chains like Arbitrum, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data that appears fresh - Chainlink’s official documentation provides an example implementation. Smart contract auditors should look out for missing L2 sequencer activity checks when they see price code callinglatestRoundData() in projects that are to be deployed on L2s. More examples: [1, 2, 3, 4, 5]
-
Smart contracts often use multiple oracle price feeds to track prices for multiple assets. It is an error to assume that the same time interval heartbeat can be used as a staleness check for every feed, as different feeds can have different heartbeats. Consider this code from JOJO’s Sherlock audit:
-
Care must be taken when selecting which price oracle(s) to use; using an oracle price feed that isn’t updated frequently will result in calculations being performed with inaccurate prices that don’t reflect the true value of the asset. Chainlink Oracles are currently the safest choice, but even then, care must be taken regarding which price feed to choose; similar price feeds can have different heartbeat & deviation thresholds; the longer the heartbeat & higher the deviation threshold, the more the oracle price can differ from the true, current price. Smart contracts developers should use & auditors should check that price feeds with the lowest heartbeat & deviation thresholds are being used to ensure the oracle’s reported price is as close as possible to the true, current price. More examples: [1, 2, 3, 4]
-
Care must be taken when selecting which price oracle(s) to use; using an oracle price feed that isn’t updated frequently will result in calculations being performed with inaccurate prices that don’t reflect the true value of the asset. Chainlink Oracles are currently the safest choice, but even then, care must be taken regarding which price feed to choose; similar price feeds can have different heartbeat & deviation thresholds; the longer the heartbeat & higher the deviation threshold, the more the oracle price can differ from the true, current price. Smart contracts developers should use & auditors should check that price feeds with the lowest heartbeat & deviation thresholds are being used to ensure the oracle’s reported price is as close as possible to the true, current price. More examples: [1, 2, 3, 4]
-
Care must be taken when selecting which price oracle(s) to use; using an oracle price feed that isn’t updated frequently will result in calculations being performed with inaccurate prices that don’t reflect the true value of the asset. Chainlink Oracles are currently the safest choice, but even then, care must be taken regarding which price feed to choose; similar price feeds can have different heartbeat & deviation thresholds; the longer the heartbeat & higher the deviation threshold, the more the oracle price can differ from the true, current price. Smart contracts developers should use & auditors should check that price feeds with the lowest heartbeat & deviation thresholds are being used to ensure the oracle’s reported price is as close as possible to the true, current price. More examples: [1, 2, 3, 4]
-
Care must be taken when selecting which price oracle(s) to use; using an oracle price feed that isn’t updated frequently will result in calculations being performed with inaccurate prices that don’t reflect the true value of the asset. Chainlink Oracles are currently the safest choice, but even then, care must be taken regarding which price feed to choose; similar price feeds can have different heartbeat & deviation thresholds; the longer the heartbeat & higher the deviation threshold, the more the oracle price can differ from the true, current price. Smart contracts developers should use & auditors should check that price feeds with the lowest heartbeat & deviation thresholds are being used to ensure the oracle’s reported price is as close as possible to the true, current price. More examples: [1, 2, 3, 4]
-
When working with Oracle price feeds, developers must account for different price feeds having different decimal precision; it is an error to assume that every price feed will report prices using the same precision. Generally, non-ETH pairs report using 8 decimals, while ETH pairs report using 18 decimals. If precision is assumed, there is plenty of room for developer mistakes to be made since, for example, ETH/USD reports using 8 decimals, as it is considered a non-ETH pair since the price of ETH is being reported in USD. There are also price feeds such as AMPL/USD that report using 18 decimals which breaks the general rule that USD price feeds report in 8 decimals. Smart contracts can call AggregatorV3Interface.decimals() to get the exact number of decimals for the price feed being called. More examples: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
-
when a user makes a deposit, enforce a delay that prevents them from withdrawing in a short amount of time to prevent sandwich attacks,
-
More examples: [1, 2]