Lack of Timestamp Check in Chainlink _getData() Function
Summary
The code that retrieves price data from Chainlink (_getData()) does not verify how recent (i.e., not stale) the returned information is. The function simply obtains the timestamp from the oracle without comparing it to block.timestamp or any “staleness threshold.” This absence of a check means the code could rely on outdated data which no longer reflects the current market situation, or potentially incorrect data (too old or too new) caused by node errors.
Vulnerability Details
In ChainlinkOracle, the _getData() function returns (data, timestamp) but does not include logic such as:
or
Omitting such checks makes it possible to use potentially stale (out-of-date) or incorrect data without detection.
Impact
The system may calculate subsequent steps (e.g., adjusting weights, allowing withdrawals, liquidity calculations, etc.) based on outdated prices, causing potential losses for the protocol or its users.
Tools Used
Manual
Recommendations
Ensure timestamp is not greater than block.timestamp (no “future” timestamps) to defend against erroneous or manipulated data.
Lead Judging Commences
invalid_chainlink_staled_data_updateAt_roundId_known_issue
LightChaser: ## [Medium-4] Insufficient oracle validation
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.