QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

`ChainlinkOracle::_getData()` doesn't check for stale price and Incomplete round validation

hi_there

Summary

ChainlinkOracle::_getData() doesn't check for stale prices and round validation.

Vulnerability Details

The function _getData() retrieves the latest round data using latestRoundData(), but it does not check if the updatedAt timestamp is recent or if, the answeredInRound matches the roundId this leaves the function vulnerable to using stale data if the Chainlink oracle fails to update.

Impact

Code will execute with prices that don’t reflect the current pricing resulting in a potential loss of funds for users.

Tools Used

Recommendations

The _getData function should include checks to verify the freshness of the data:

  • Ensure that the updatedAt timestamp is within an acceptable threshold.

  • Verify that answeredInRound matches or exceeds roundId to confirm the data is from the latest round.

function _getData() internal view override returns (int216, uint40) {
+ (uint80 roundId, int256 data,, uint256 updatedAt, uint80 answeredInRound) = priceFeed.latestRoundData();
require(data > 0, "INVLDDATA");
// Ensure it's the latest round
+ require(answeredInRound >= roundId, "STALEDATA");
// Check if the data is too old, for e.g 1 hour
+ uint256 threshold = 3600;
+ if (updatedAt < block.timestamp - threshold) revert();
data = data * int(10 ** normalizationFactor);
return (int216(data), uint40(updatedAt));
}
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid_chainlink_staled_data_updateAt_roundId_known_issue

LightChaser: ## [Medium-4] Insufficient oracle validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.