Chainlink's `latestRoundData` might return stale or incorrect results
Summary
Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/data-feeds/historical-data
Vulnerability Details
In LiquidationPool.sol, in distributeAsset() function you are using latestRoundData, but there is no check if the return value indicates stale data.
The returned updatedAt timestamp is not checked.
Impact
Oracle price feeds can become stale due to a variety of reasons. Using a stale price will result in incorrect calculations
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
i have added link above.
Tools Used
Manual Review
Recommendations
Consider checking the oracle responses updatedAt and RoundId value after calling out to Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData() verifying that the result is within an allowed margin of freshness.
Smart contracts should always check the updatedAt and RoundID parameter returned from latestRoundData() and compare it to a staleness threshold
for eg
(uint80 roundId, int256 basePrice, , uint256 updatedAt, uint80 answeredInRound) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
require(answeredInRound >= roundId, "Price stale");
require(block.timestamp - updatedAt < PRICE_ORACLE_STALE_THRESHOLD, "Price round incomplete");
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.