latestRoundData() has no check for round completenes and price > 0
Summary
No check for round completeness could lead to stale prices and wrong price return value, or outdated price. The functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss.
Vulnerability Details
The OracleLib staleCheckLatestRoundData(AggregatorV3Interface priceFeed) call out to an oracle with latestRoundData() to get the price of token. Although the returned timestamp is checked, there is no check for round completeness.According to Chainlink's documentation, this function does not error if no answer has been reached but returns 0 or outdated round data The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources
Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds
Impact
This could lead to stale prices and wrong price return value, or outdated price.
Tools Used
manual review
Recommendations
add check of validate roundID and price
function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
+ require(answeredInRound >= roundID, "round not complete");
+ require(price > 0);
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.