Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing Staleness Check

smarttee01

Root + Impact

Description

  • Describe the normal behavior in one or more sentences

  • Explain the specific issue or problem in one or more sentences

// Description
The function does not validate whether the returned updatedAt timestamp is recent.
Chainlink feeds can become:
1 Frozen
2 Paused
3 Stale
4 Unresponsive
Without a staleness threshold, the contract may rely on outdated pricing data.
//Root Cause
@> function getRoundData(address _token)
public
view
returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound)
{
address priceFeedAddress = priceFeeds[_token];
require(priceFeedAddress != address(0), "Price feed not set for token");
AggregatorV3Interface priceFeed = AggregatorV3Interface(priceFeedAddress);
(roundId, answer, startedAt, updatedAt, answeredInRound) = priceFeed.latestRoundData();
}

Risk

While this issue does not allow direct oracle manipulation by an attacker, it amplifies the impact of oracle downtime, delayed updates, or feed degradation, making it a medium-likelihood risk in live environments—especially for lending, liquidation, or pricing-sensitive logic.

Impact:
If stale data price is used :

  • Impact 1 Liquidations may fail

  • Impact 2 Borrow limits may be miscalculated


Proof of Concept

Not necessary

Recommended Mitigation

- remove this code
Add this check to the affected part
+ require(updatedAt > 0, "Incomplete round");
+ require(block.timestamp - updatedAt <= MAX_DELAY, "Stale price");
Updates

Lead Judging Commences

izuman Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Price feed has no staleness check

StrataxOracle contract fails to check if the price is stale, which can mess up swap calculations.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!