Soaring Orchid Viper - Incorrect Round Data Handling in getRoundData Function #152
Description
Soaring Orchid Viper
Medium
Incorrect Round Data Handling in getRoundData Function
Summary
The getRoundData function ignores the input _roundId and returns the latest price data regardless of the requested round. This violates the Chainlink AggregatorV3Interface specification, which expects historical round data to be retrievable by roundId.
Root Cause
In the contract NAVProxyUSDTBPriceFeed.sol
The function getRoundData calls pyth.getPriceUnsafe(priceId), which always returns the latest price. The input _roundId is not used to fetch historical data, and the returned roundId, startedAt, updatedAt, and answeredInRound all derive from the latest price’s publishTime. This misleads consumers into believing historical data is being returned.
Internal Pre-conditions
The contract is used in a system that relies on accurate historical price data by getting data for a particular round or time period
External Pre-conditions
The Pyth oracle has multiple historical price updates stored, and consumers call getRoundData with valid historical roundId values.
Attack Path
- An attacker observes that historical round IDs return the latest price.
- The attacker exploits this by running transactions that rely on historical data, knowing the proxy will return incorrect values.
Impact
Applications depending on accurate historical data from the oracle will make incorrect decisions and breaks the chainlink interface logic which it is trying to mirror because getRoundData for different rounds should return different data
PoC
Mitigation
Modify getRoundData to fetch historical prices using pyth. If historical data is not available, revert