RedStone Oracles
Co-audit with CODESPECT of the RedStone oracle protocol's Consumer and Price Feed components. The 2-week review of 1,236 nSLOC across 24 contracts identified 5 issues (1 Medium, 2 Best Practices, 2 Informational), all reviewed and either fixed or acknowledged with a written justification. The protocol's documentation, NatSpec coverage, and test suite quality were rated High.
Total findings
5
2 fixed · 3 acknowledged
Critical
00
High
00
Medium
01
Low + Info
04
02
Scope
21 files · 1,236 SLOCRepository
Initial commit
ff0f3dcb085f
Final commit
198c17ee5123
Platform
Ethereum · Solidity
Methodology
File
on-chain-relayer/contracts/price-feeds/PriceFeedBase.sol
on-chain-relayer/contracts/price-feeds/MergedPriceFeedAdapterCommon.sol
on-chain-relayer/contracts/price-feeds/PriceFeedsAdapterBase.sol
on-chain-relayer/contracts/price-feeds/without-rounds/MultiFeedAdapterWithoutRounds.sol
on-chain-relayer/contracts/price-feeds/without-rounds/PriceFeedWithoutRounds.sol
on-chain-relayer/contracts/price-feeds/without-rounds/PriceFeedWithoutRoundsForMultiFeedAdapter.sol
on-chain-relayer/contracts/price-feeds/without-rounds/PriceFeedsAdapterWithoutRounds.sol
on-chain-relayer/contracts/price-feeds/without-rounds/MergedPriceFeedAdapterWithoutRounds.sol
on-chain-relayer/contracts/price-feeds/with-rounds/PriceFeedsAdapterWithRounds.sol
on-chain-relayer/contracts/price-feeds/with-rounds/MergedPriceFeedAdapterWithRounds.sol
on-chain-relayer/contracts/price-feeds/with-rounds/PriceFeedWithRounds.sol
on-chain-relayer/contracts/core/IRedstoneAdapter.sol
on-chain-relayer/contracts/core/RedstoneAdapterBase.sol
evm-connector/contracts/core/RedstoneConsumerNumericBase.sol
evm-connector/contracts/core/CalldataExtractor.sol
evm-connector/contracts/core/RedstoneConstants.sol
evm-connector/contracts/core/RedstoneDefaultsLib.sol
evm-connector/contracts/core/RedstoneConsumerBase.sol
evm-connector/contracts/libs/SignatureLib.sol
evm-connector/contracts/libs/NumericArrayLib.sol
evm-connector/contracts/libs/BitmapLib.sol
03
Findings
click any row for the full write-upSeverity
ID
Finding
Status
04
Key Findings
- Potential scaling to unexpected decimal places.
MultiFeedAdapterWithoutRounds.priceOf()always multiplies the underlying value by 10^10, assuming 10^8 decimals from the price feed. The function does not consult the data feed's actual decimals, which can lead to a mismatch and incorrect price calculations for feeds that depart from the default. - Compiler version with known assembly bugs. The on-chain-relayer package compiles against Solidity ~0.8.14, a version with documented assembly-related bugs. Although the current code path does not appear to be impacted, upgrading to ~0.8.15 or later closes that risk.
- MAX_DATA_STALENESS should vary based on data feed. A single global
MAX_DATA_STALENESSconstant is used for all price feeds, but feeds have different update frequencies (heartbeats). A tailored staleness window per feed would more accurately reflect each feed's expected freshness. - Potential rounding-down precision loss in median aggregation. When the number of price elements is even, the median is computed as the arithmetic average of the two middle values via integer division, producing a small downward bias. RedStone's default 8-decimal feeds keep this loss around 0.0000005%, but the behaviour is worth flagging.
05
Team & approval
Auditor (CODESPECT)
Talfao
Lead Auditor (Zealynx)
Carlos (Bloqarl)
@TheBlockChainer
06
Disclaimer
This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.
