LiquidationPool::distributeAssets() does not check for staleness of pricefeed for eurusd
Summary
The price feed from Oracles could turn stale due to different reason outside the control of Oracle itself. It is a good idea to keep a provision in the system
to fallback on alternative when the feed turns sales.
Vulnerability Details
Currently implementation does not offer any alternative for eurusd price incase there is a failure to read or chainlink is offering a stale price.
Impact
Incorrect price leading to loss of investment
Tools Used
manual review
Recommendations
Use updatedAt value returned by the chainlink api to track the staleness from chainlink and alter the admin incase of price feed becoming sale.
implement a logic so that the time between last read and current read is not above a max time window. If the difference exceeds the time window, consider the price feed as sale.
https://docs.chain.link/data-feeds/api-reference#latestrounddata:~:text=updatedAt%3A%20Timestamp%20of%20when%20the%20round%20was%20updated.
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.