Summary

the function 'staleCheckLatestRoundData' lacks additional checks for stale data;

Vulnerability Details

Stale data refers to outdated or incorrect information that is provided by the oracle to the smart contract, leading to inaccurate results and potentially causing financial losses or other unexpected behaviors;the issue can be used by an attacker who monitor the used oracle feed (by a bot for example) and craft according to the price mouvements to advantege himself.

Impact

Price can be stale and can lead to wrong price return value.

Tools Used

Solodit;
Manual code review;
Chainlink best practices.

Recommendations

-Ensure that the round has finished and that the pricing data is from the current round in both cases where the function "staleCheckLatestRoundData()" is called (getUsdValue,getTokenAmountFromUsd ) add the checks :
require(price > 0, "price <= 0");
require(updateTime != 0, "incomplete round");
require(answeredInRound >= roundId, "stale price");

-The Multi-Oracle Approach is recommanded to mitigate the risk of stale data vulnerabilities[Use multiple oracles to fetch data from different sources and aggregate the results to increase reliability].