Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`Chainlink.latestRoundData()` may return stale results

Bauer

Summary

The _getChainlinkResponse() function is used to get the price of tokens, the problem is that the function does not check for stale results.

Vulnerability Details

The ChainlinkOracle._getChainlinkResponse() function is used to get latest Chainlink response.

function _getChainlinkResponse(address _feed) internal view returns (ChainlinkResponse memory) {
ChainlinkResponse memory _chainlinkResponse;
_chainlinkResponse.decimals = AggregatorV3Interface(_feed).decimals();
(
uint80 _latestRoundId,
int256 _latestAnswer,
/* uint256 _startedAt */,
uint256 _latestTimestamp,
/* uint80 _answeredInRound */
) = AggregatorV3Interface(_feed).latestRoundData();
_chainlinkResponse.roundId = _latestRoundId;
_chainlinkResponse.answer = _latestAnswer;
_chainlinkResponse.timestamp = _latestTimestamp;
_chainlinkResponse.success = true;
return _chainlinkResponse;
}

The problem is that there is not check for stale data. There are some reasons that the price feed can become stale.

Impact

Since the token prices are used in many contracts, stale data could be catastrophic for the project.

Tools Used

Recommendations

Read the updatedAt return value from the Chainlink.latestRoundData() function and verify that is not older than than specific time tolerance.

require(block.timestamp - udpatedData < toleranceTime, "stale price");
Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink Oracle answerRoundID not checked

hans Auditor
almost 2 years ago
hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.