Chainlink can return stale prices
Summary
The calls to the chainlink Aggregatorv3Interface should to make sure that the latest answer is recent enough to be used.
Vulnerability Details
The latestRoundData function in the LiquidationPool, SmartVault(which makes calls to the PriceCalculator) fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks for roundID or updated time.
Stale prices could put funds at risk.
According to Chainlink's documentation, This function does not error if no answer has been reached but returns 0, causing an incorrect price fed to the PriceOracle. The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, the oracle could fall behind or otherwise fail to be maintained, resulting in outdated data being fed to the index price calculations of the liquidity.
More info can be read here
https://docs.chain.link/docs/historical-price-data/#historical-rounds
https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
Impact
The result of latestRoundData API will be used across various functions, therefore, a stale price from Chainlink can lead to loss of funds to end-users.
Tools Used
Manual Code Review
Recommendations
A major refactorring will be needed to check the prices for staleness
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.