15,000 USDC
View results
Submission Details
Severity: medium
Valid

Chainlink's `latestRoundData` might return stale or incorrect results

Summary

when protocol on a #Chainlink price oracle price feed always check the if the price is outdated, stale, or incorrect ,because Chainlink nodes is not always valid.

Vulnerability Details

OracleLib.sol not check chainlink return data

Impact

If Chainlink returns old or zero data, the user's collateral will be liquidated prematurely

Tools Used

manual

Recommendations

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
+ if(roundId<answeredInRound) revert OracleLib__StalePrice();
+ if(answer<=0) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.