`latestRoundData()` has no check for round completeness
Summary
No check for RoundCompleteness could lead to stale prices and wrong price return value, or outdated price.
Vulnerability Details
The oracle wrapper staleCheckLatestRoundData(priceFeed) call out chainlink oracle with latestRoundData() to get the price of some token. Although the returned timestamp is checked that it's within the TIMEOUT,but there is no check for round completeness.
https://docs.chain.link/data-feeds/historical-data
Impact
If there is a problem with chainlink starting a new round and finding consensus on the new value for the oracle (e.g. chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale data (if oracles are unable to submit no new round is started).
This could lead to stale prices and wrong price return value, or outdated price
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/libraries/OracleLib.sol#L21C4-L34C1
Tools Used
Manual review
Recommendations
Validate data feed for round completeness
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.