15,000 USDC
View results
Submission Details
Severity: medium
Valid

latestRoundData() has no check for round completenes and price > 0

Summary

No check for round completeness could lead to stale prices and wrong price return value, or outdated price. The functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss.

Vulnerability Details

The OracleLib staleCheckLatestRoundData(AggregatorV3Interface priceFeed) call out to an oracle with latestRoundData() to get the price of token. Although the returned timestamp is checked, there is no check for round completeness.According to Chainlink's documentation, this function does not error if no answer has been reached but returns 0 or outdated round data The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources

Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds

Impact

This could lead to stale prices and wrong price return value, or outdated price.

Tools Used

manual review

Recommendations

add check of validate roundID and price

 function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
    public
    view
    returns (uint80, int256, uint256, uint256, uint80)
{
    (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
        priceFeed.latestRoundData();
        


    uint256 secondsSince = block.timestamp - updatedAt;
    if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
    +  require(answeredInRound >= roundID, "round not complete");
    +  require(price > 0);


    return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.