No check for round completeness could lead to stale prices and wrong price return value, or outdated price. The functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss.
The OracleLib staleCheckLatestRoundData(AggregatorV3Interface priceFeed) call out to an oracle with latestRoundData() to get the price of token. Although the returned timestamp is checked, there is no check for round completeness.According to Chainlink's documentation, this function does not error if no answer has been reached but returns 0 or outdated round data The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources
Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds
This could lead to stale prices and wrong price return value, or outdated price.
manual review
add check of validate roundID and price
function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
+ require(answeredInRound >= roundID, "round not complete");
+ require(price > 0);
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.