The Standard

The Standard
DeFiHardhat
20,000 USDC
View results
Submission Details
Severity: medium
Invalid

Calls to Oracles don't check for stale prices

Summary

Calls to Oracles don't check for stale prices.

Vulnerability Details

Many of the oracle calls do not check for stale prices. Oracle data feeds can return stale pricing data for a variety of reasons. If the returned pricing data is stale, this code will execute with prices that don’t reflect the current pricing resulting in a potential loss of funds for the user and/or the protocol

// PriceCalculator::tokenToEurAvg method
(, int256 eurUsdPrice,,,) = clEurUsd.latestRoundData();
return collateralUsd / uint256(eurUsdPrice);

Impact

lack of stale answer check can lead to loss of funds to the users and or the protocol

Tools Used

Manual review

Recommendations

Smart contracts should always check the updatedAt parameter returned from latestRoundData() and compare it to a staleness threshold

// PriceCalculator::tokenToEurAvg method
- (, int256 eurUsdPrice,,,) = clEurUsd.latestRoundData();
+ (, int256 eurUsdPrice,, uint256 updatedAt,) = clEurUsd.latestRoundData();
+ if (updatedAt < block.timestamp - 60 * 60 /* 1 hour */) {
+ revert("stale price feed");
+ }
return collateralUsd / uint256(eurUsdPrice);

The staleness threshold should correspond to the heartbeat of the oracle’s price feed. This can be found on Chainlink’s list of Ethereum mainnet price feeds by checking the “Show More Details” box, which will show the “Heartbeat” column for each feed. In the case of clEurUsd, it's an an hour.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.