15,000 USDC
View results
Submission Details
Severity: medium
Valid

'staleCheckLatestRoundData()' does not check for round completeness

Summary

Chainlink data feed is maybe the most important component in the project, on which everything depends. If the data from it is not correct, but we don't understand, everything else could go wrong - liquidation, health factors, etc. Therefore we should take all measures to prevent this from happening.

Vulnerability Details

Currently the code is only checking if the round has been updated more than three hours ago, but in chainlinks documentation it is suggested to make two more checks with the returned result.

Impact

The likelihood is low, but it can lead to misleading, false results, if oracle system is not working as it should.

Tools Used

Manual Review

Recommendations

Add two more checks using the returned values:

function staleCheckLatestRoundData(
AggregatorV3Interface priceFeed
) public view returns (uint80, int256, uint256, uint256, uint80) {
(
uint80 roundId,
int256 answer,
uint256 startedAt,
uint256 updatedAt,
uint80 answeredInRound
) = priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
require ( answer > 0, " Chainlink price <= 0");
require ( updatedAt != 0, " Incomplete round ");
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.