Data returned by `latestRoundData` not checked enough in order to determinate if price is stale
Summary
When Chainlink Aggregator is used to fetch the latest price of a token, there are no enough checks to ensure if returned price is stale.
Vulnerability Details
Currently, in OracleLib, when latestRoundData is read, there is the check if the updatedAt is is the value from block.timestamp and block.timestamp - 3 hours. In case this is not the case, the price is considered stale. This alone cannot be used to determine if the price is stale. This should also be reviewed, as some of the price feeds may not be updated for a long time, and the price may still be valid (eg in case market is not so active or there is no fluctionation in price).
Impact
The prices returned can be stale, therefore the calculations price, like getting health factor for the user, would essentially be incorrect and therefore set protocol in an incorrect state by the wrong output of health factor calculations.
Tools Used
Manual review
Recommendations
In order to properly evaluate whether the price is up-to-date, the following checks should also be performed:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.