Calls to Oracles don't check for stale prices
Summary
Oracle data feeds can return stale pricing data for a variety of reasons. If the returned pricing data is stale, this code will execute with prices that don’t reflect the current pricing.
Vulnerability Details
None of the oracle calls check for stale prices.
https://github.com/Mylifechangefast/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L207
https://github.com/Mylifechangefast/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L219
The function tokenToEurAvg() used in SmartVaultV3 to check the collateralization of the vault also uses ChainLink oracle data feeds without stale price check.
Impact
Using a stale price will result in incorrect calculations in most of the key functionalities of the LiquidationPool and the SmartVaultV3.
Tools Used
Manual review
Recommendations
Read the updatedAt parameter from the calls to latestRoundData() and compare it to a staleness threshold:
The staleness threshold should correspond to the heartbeat of the oracle's price feed. This can be found on Chainlink's list of Arbitrum mainnet price feeds by checking the "Show More Details" box, which will show the "Heartbeat" column for each feed.
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.