Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Chainlink Oracle Security Considerations
Security Considerations for Integrating Chainlink Price OraclesPosted 2 Years Ago- Chainlink provides off-chain data to smart contracts in order for users to query them. Integrating with chainlink creates its own set of challenges.
- The oracles are updated periodically but must be updated by Chainlink. However, the values may be stale or out of date when calling
latestRoundData(). As a result, a user could contain money from the out of date oracle. Not checking if an L2 Sequencer is down falls into the same category. - When checking if a price feed has been updated, different feeds can have different heartbeats. So, the time for more value may be another. Additionally, simply checking whether the price oracles get updated enough is important. What if a price feed is never updated but we are using it? Real bad!
- Besides these, it's common to use wrong hardcoded values. For instance, the precision of various feeds may be assumed throughout the contract. Additionally, hardcoding the wrong address for the price is a common problem as well. This may be in a configuration file instead of the contract though.
- A classic blockchain problem is frontrunning. If updates are too slow and the price deviates too much, then they can be sandwiched. To solve this, adding small fees or delays on withdrawals.
- Another interesting case is a denial of service (DoS) via bad price feeds. The recommendation is to add functionality to update the price in case something breaks.
- The final cases are extreme price changes. If an asset is depegged (WBTC to BTC), then we want to ensure that malicious actors cannot benefit from this. The solution is looking at the price of BTC to WBTC. A similar thing can be done to prevent flash crash attacks on the protocol as well.
- Overall, integrating with Chainlink has it's problems just like everything else. Most of these feel like defense-in-depth, but is super important in the case of failure.
