Stale or incorrect chainlink price not validated
Root + Impact
The getPrice() function in StrataxOracle.sol retrieves Chainlink price data using latestRoundData() but ignores critical staleness and validity indicators (updatedAt and answeredInRound). This allows the contract to use outdated prices without detecting that Chainlink has stopped updating. Positions are opened and unwound using stale/incorrect prices, leading to incorrect leverage calculations, improper position sizing, and potential liquidations or substantial value loss.
Description
When a leveraged position is created or unwound, the contract calls calculateOpenParams() and calculateUnwindParams() to compute how much collateral to supply and how much to borrow. These calculations depend critically on accurate, real-time token prices from the oracle. The Stratax smart contract uses prices from StrataxOracle.getPrice() to size positions with the correct leverage multiplier.
Risk
Likelihood:
Depends on feed and network conditions
Impact:
-
Position is opened with higher effective leverage than intended (user expects 3x but gets 4x due to stale price). Position is immediately undercollateralized.
-
Stale price causes wrong collateral/debt ratio; position enters liquidation within minutes or hours as it tries to rebalance or as market moves slightly. User loses principal + liquidation penalties.
Proof of Concept
Recommended Mitigation
Require
updatedAtwithin a max age (e.g. 30 mins or 1 hour) andanswer == answeredInRound(or equivalent staleness checks) and revert with a clear error if stale.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.