OpportunitiesLeaderboardAbout Cantina
RedStone

oracle-aggregator

Cantina Security Report

Organization

@RedStone

Engagement Type

Cantina Reviews

Period

-

Repositories

N/A

Researchers

Om Parikh

high byte

Findings

Low Risk

1 findings

0 fixed

1 acknowledged

Informational

2 findings

2 fixed

0 acknowledged

Gas Optimizations

1 findings

1 fixed

0 acknowledged

Low Risk1 finding

  1. Inconsinstent decimals adjusted value returned from aggregator in case of non-USD denominated price feed

    State

    Acknowledged

    Severity

    Severity: Low

    Submitted by

    Om Parikh

    Description

    _safeLatestRoundData assumes chainlink returned value is in 8 decimals which is not always true.

    As per chainlink documentation, AggregatorV3Interface(feed).decimals(); should be used to query precision of respective feed.

    This is especially required in non USD denominated feeds.

    Recommendation

    Ensure decimals are always adjusted to 8 irrespective of underlying chainlink price feed's decimals by scaling.

Informational2 findings

  1. Missing natspec

    State

    Fixed

    PR #3

    Severity

    Severity: Informational

    Submitted by

    Om Parikh

    Description

    • NumericArrayLib is missing natspec on functions. several things such as sort sorts in descending order should be documented

    • ETH_Oracle_Aggregated_Chronicle_Chainlink_Redstone should have some basic natspec/documentation getAgeThreshold, checkAuthorisedDataConsumer, etc

    • several functions which revert or return hardcoded values in OracleAggregator doesn't have natspec to explain the reasoninig

    Recommendation

    Add appropriate natspec / documentation

  2. Passing fixed gas in oracle reads may not work in futrure hardfork

    State

    Fixed

    PR #3

    Severity

    Severity: Informational

    Submitted by

    Om Parikh

    Description

    In OracleAggregator, fixed gas units (_GAS_LIMIT_PER_ORACLE_READ) is passed for reading the data, which could impact negatively if future ethereum hardforks reprice opcodes and price of SLOAD is increased.

    Recommendation

    • Document this explicity that in such case a new oracle would be deployed
    • Pass dynamic gas limit

Gas Optimizations1 finding

  1. small gas opt

    State

    Fixed

    PR #3

    Severity

    Severity: Gas optimization

    Likelihood: High

    ×

    Impact: Low

    Submitted by

    high byte

    Description

    this arithmetic expression is not optimized and is recalculated every time, even though all 3 values are const. it can be optimized to a simple division by const: 1e8.

    Recommendation

    cache the value in const.