15,000 USDC
View results
Submission Details
Severity: medium
Valid

Data returned by `latestRoundData` not checked enough in order to determinate if price is stale

Summary

When Chainlink Aggregator is used to fetch the latest price of a token, there are no enough checks to ensure if returned price is stale.

Vulnerability Details

Currently, in OracleLib, when latestRoundData is read, there is the check if the updatedAt is is the value from block.timestamp and block.timestamp - 3 hours. In case this is not the case, the price is considered stale. This alone cannot be used to determine if the price is stale. This should also be reviewed, as some of the price feeds may not be updated for a long time, and the price may still be valid (eg in case market is not so active or there is no fluctionation in price).

Impact

The prices returned can be stale, therefore the calculations price, like getting health factor for the user, would essentially be incorrect and therefore set protocol in an incorrect state by the wrong output of health factor calculations.

Tools Used

Manual review

Recommendations

In order to properly evaluate whether the price is up-to-date, the following checks should also be performed:

(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
require(price > 0, OracleLib__PriceCannotBeZero());
require (answeredInRound >= roundId, OracleLib__StalePrice());
require(updatedAt != 0, OracleLib__RoundNotCompleted());

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.