A stale report could be validated by the `SettlementConfiguration::requireDataStreamsReportIsValid` function, leading to the potential use of outdated ask and bid prices in the `SettlementConfiguration::verifyOffchainPrice` function.
Summary
The lack of verification in the function SettlementConfiguration::requireDataStreamsReportIsValid to check if block.timestamp < premiumReport.observationsTimestamp could lead the function SettlementConfiguration::verifyOffchainPrice to return stale ask and bid prices.
Vulnerability Details
The function SettlementConfiguration::requireDataStreamsReportIsValid doesn't check if block.timestamp < premiumReport.observationsTimestamp. If premiumReport.validFromTimestamp + maxVerificationDelay > premiumReport.observationsTimestamp, the block.timestamp could be greater than premiumReport.observationsTimestamp, and the function wouldn't revert, thus validating a stale report:
Impact
A stale report could be validated by the SettlementConfiguration::requireDataStreamsReportIsValid function, leading to the potential use of outdated ask and bid prices in the SettlementConfiguration::verifyOffchainPrice function.
Tools Used
Manual Review
Recommendations
It is recommended to add a verification to the if statement:
Lead Judging Commences
There is a chance of consuming stale reports
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.