API3 - Data Feed Proxy Combinators
Summary
Quantstamp has audited API3's Data Feed Proxy Combinator codebase, which offers different ways to adapt oracle price data feeds to other formats. Each contract in scope wraps either a Chainlink or API3 data feed and exposes both of their interfaces to transform the oracle data in the following ways: - **`InverseApi3ReaderProxyV1`** inverts the oracle price. - **`ScaledApi3FeedProxyV1`** exposes a Chainlink interface for API3 data feeds. - **`NormalizedApi3ReaderProxyV1`** exposes an API3 interface for Chainlink data feeds. - **`ProductApi3ReaderProxyV1`** returns the product of two oracles. - **`PriceCappedApi3ReaderProxyV1`** caps the price with a lower and/or upper bound. The security of the oracle contracts mostly depends on the context of their integration and usage. However, we have outlined two medium severity issues that may introduce security concerns for integrating protocols. Overall, the contracts are well-written and security best practices are followed. **Fix Review Update**: During the fix review, the client has acknowledged all four findings and elaborated on them in the NatSpec documentation. The two suggestions were successfully fixed.
