chainlink lastRoundedData() may return incorrect value or stale
Summary
The retrieval of price feed data through the utilization of Chainlink's latestRoundData is a widely accepted method. However, it is vital to note that the current approach lacks sufficient protection against price staleness. The int256 answer is not sufficient to determine the validity of the returned price as it is possible for an outdated price to be received. It is crucial to consider other return arguments to ascertain the accuracy of the price. A price feed may cease to update due to various reasons, which have been outlined here. Therefore, it is imperative to implement measures that safeguard against price staleness in the retrieval of price feed data.
The return value updatedAt contains the timestamp at which the received price was last updated, and can be used to ensure that the price is not outdated. See more information about latestRoundID in the Chainlink docs. Inaccurate price data can lead to functions not working as expected and/or loss of funds.
Vulnerability Details
Impact
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L207C7-L207C94
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L218
Tools Used
Manual review
Recommendations
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.