Chainlink's `latestRoundData` Might Return Stale or incorrect Results
Summary
The distributeAssets() function in the liquidationPool#DistributeAssets contract risks miscalculating LP rewards due to reliance on potentially inaccurate prices from Chainlink's latestRoundData(). This could lead to Liquidity providers experiencing loss or unfair distribution of rewards.
Vulnerability Details
The liquidationPool#DistributeAssets contract relies on Chainlink's latestRoundData() without verifying the returned values: priceEurUsd/Answer, timestamp, roundID, and answeredInRound. This can result in stale pricing data, as highlighted in the Chainlink Historical Data Documentation.
The distributeAssets() function, which distribute assets from liquidations to LP, is susceptible to reward miscalculations. If latestRoundData() provides inaccurate prices, stakers might face loss of rewards or receive unfairly distributed rewards, This can lead to reward issues because of these unreliable values.
Impact
Potential loss of rewards or unfair distribution of rewards due to unchecked values from the latestRoundData() API.
Tools Used
Manual
Recommendations
Make sure to add checks for stale data or implement an internal function that verifies the following values before returning a token's answer.
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.