The Standard

Summary

The distributeAssets() calls out to a Chainlink oracle receiving the latestRoundData(). If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).

Vulnerability Details

Oracle data feeds can return stale pricing data for a variety of reasons. If the returned pricing data is stale, this code will execute with prices that don’t reflect the current pricing resulting in a potential loss of funds for the user and/or the protocol.Smart contracts should always check the updatedAt parameter returned from latestRoundData() and compare it to a staleness threshold

Impact

Using oracle they are calculating price of assetPriceUsd and asset.token.clAddr which would impact both user as well as protocol when the oracle data feeds return stale price . Due to returning of stale price the "costInEuros" would not be returning actual value and it would be returning value for stale data feeds and this distributeAssets() is used in distributing liquidated assets according to portion of stake which creates a direct impact and loss to users as well as to protocol.

Tools Used

Manual review

Recommendations

Recommend adding the following checks:

( roundId, rawPrice, , updateTime, answeredInRound ) = AggregatorV3Interface(XXXXX).latestRoundData();
require(rawPrice > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");