The code that retrieves price data from Chainlink (_getData()) does not verify how recent (i.e., not stale) the returned information is. The function simply obtains the timestamp from the oracle without comparing it to block.timestamp or any “staleness threshold.” This absence of a check means the code could rely on outdated data which no longer reflects the current market situation, or potentially incorrect data (too old or too new) caused by node errors.
In ChainlinkOracle, the _getData() function returns (data, timestamp) but does not include logic such as:
or
Omitting such checks makes it possible to use potentially stale (out-of-date) or incorrect data without detection.
The system may calculate subsequent steps (e.g., adjusting weights, allowing withdrawals, liquidity calculations, etc.) based on outdated prices, causing potential losses for the protocol or its users.
Manual
Ensure timestamp is not greater than block.timestamp (no “future” timestamps) to defend against erroneous or manipulated data.
LightChaser: ## [Medium-4] Insufficient oracle validation
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.