The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Chainlink’s latestRoundData might return stale or incorrect results

juan

Summary

Chainlink’s latestRoundData might return stale or incorrect results

Vulnerability details

LiquidationPool::distributeAssets() calls out to a Chainlink oracle receiving the latestRoundData().

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();

Impact

If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).

Recommended Mitigation

Consider adding the following checks after getting data from a chainlink price feed:

( roundId, int256 priceEurUsd, , updateTime,) = AggregatorV3Interface(XXX).latestRoundData();
require(rawPrice > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(updatedAt < block.timestamp - TOO_MUCH_TIME, "Stale price data");
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.