Denial-of-Service Attack caused by external call

From WEB3 Vulnerapedia
Jump to navigation Jump to search

Denial-of-Service Attack caused by external call typically occurs in smart contracts deployed on blockchain networks like Ethereum. In such attacks, an adversary exploits vulnerabilities in a contract's design to initiate external calls to untrusted contracts or external addresses, which can lead to various forms of disruption or abuse.


When the protocol wants to use Chainlink's Oracle data feed to get a collateral token’s price, the fixed price for the token should not be set. When the fixed price is not set for the token, calling the Oracle contract's viewPrice() function…

function viewPrice(address token, uint collateralFactorBps) external view returns (uint) {
  if(fixedPrices[token] > 0) return fixedPrices[token];
  if(feeds[token].feed != IChainlinkFeed(address(0))) {
      // get price from feed
      uint price = feeds[token].feed.latestAnswer();
      require(price > 0, "Invalid feed price");
      // normalize price

will execute

uint price = feeds[token].feed.latestAnswer();

It is possible that Chainlink’s “multisigs can immediately block access to price feeds at will”[1]. When this occurs, executing


will revert.

Calling the viewPrice function also reverts, which causes denial of service.

This means that every function dependent of viewPrice() will potentially end up being reverted.


The Oracle contract's viewPrice functions can be updated to refactor



try feeds[token].feed.latestAnswer() returns (int256 price) { ... }
catch Error(string memory) { ... }

The logic for getting the collateral token's price from the Chainlink oracle data feed should be placed in the try block while some fallback logic when access to the Chainlink oracle data feed is denied should be placed in the catch block.