The staleCheckLatestRoundData
function in the Oraclelib.sol
library lacks proper checks on the return values obtained from the Chainlink aggregator. The function fetches asset prices using the latestRoundData
function but does not validate the roundId
, updatedAt
timestamp, and other response parameters. As a result, the contract may be susceptible to receiving stale or incorrect price data from the external Chainlink aggregator, resulting in outdated data being fed to the index price calculations for liquidity.
The vulnerable staleCheckLatestRoundData
function fetches the latest asset price from the Chainlink aggregator via the latestRoundData
function. However, it fails to perform essential checks on the roundId
, updatedAt
and other response parameters. The absence of these validation steps leaves the function unable to determine the freshness and accuracy of the price data it receives. As a result, the contract might use outdated or erroneous price information, exposing it to potential issues arising from stale price data.
The vulnerability can manifest in various ways. For instance, if the Chainlink oracle experiences delays or malfunctions, it might return price data that is no longer relevant or has not been updated in time. The contract, lacking validation, will blindly accept this stale data and use it for critical operations, such as index price calculations.
Navigate to the following contract "https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/libraries/OracleLib.sol#L21"
Missing validation checks:
VS code
Manual review
Consider adding missing checks for the stale data.
For example:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.