Chainlink's `latestRoundData` return stale or incorrect result
Summary
Chainlink's latestRoundData is used here to retrieve price feed data; however, there is insufficient protection against price staleness.
Return arguments other than int256 answer are necessary to determine the validity of the returned price, as it is possible for an outdated price to be received.
The return value updatedAt contains the timestamp at which the received price was last updated, and can be used to ensure that the price is not outdated. See more information about latestRoundID in the Chainlink docs. Inaccurate price data can lead to functions not working as expected and/or loss of funds.
Tools Used
Manual Review
Recommendations
Enforce the following checks to avoid stale prices.
...
( roundId, rawPrice, , updateTime, answeredInRound ) = AggregatorV3Interface(XXXXX).latestRoundData();
require(rawPrice > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");
...
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.