Chainlinks' latestRoundData() function can return stale price
Summary
Using Chainlinks' latestRoundData() function to retrieve priceEurUsd and asset.token.clAddr variable prices without checking their 'age' could lead to using stale prices.
Similar issue can be found here.
Vulnerability Details
The feed.lastRoundData() interface parameters according to Chainlink can be thoroughly examined here.
Only answer variable is used in the LiquidationPool contract. But there is no check whether the price data returned from the Oracle is recent enough so that it can be used in calculating the values. This can result in faulty distribution of assets in LiquidationPool::distributeAssets() function.
Impact
In the distributeAssets() function users' position can be slashed unfairly if the prices fetched from Chainlink are stale since the assets are distributed based on their price in euros. Severity of the issue is high since loss of user funds is an imminent threat.
Tools Used
Manual review
Recommendations
Check necessary precautions that have to be taken in the issue linked in the summary. Consider adding missing checks for stale data.
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.