The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

unchecked stale price from chainlink

kodyvim

Summary

Rewards could be recorded with stale price.

Vulnerability Details

Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data.
This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds

distributeAssets() function uses Chainlink's latestRoundData() to get the latest price of tokens. However, there is no check if the return value indicates stale data.

Impact

Assets could be distributed with stale/invalid data for the given asset.

Tools Used

Manual Review

Recommendations

Consider adding checks for stale data. e.g

(uint80 roundId, int256 assetPriceUsd, , uint256 updatedAt, uint80 answeredInRound) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
require(price > 0, "Invalid price");
require(answeredInRound >= roundId, "Price stale");
require(block.timestamp - updatedAt < PRICE_ORACLE_STALE_THRESHOLD, "Price round incomplete");
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.