Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: medium
Likelihood: medium

Missing Staleness Check

Author Revealed upon completion

Root + Impact

Description

  • Describe the normal behavior in one or more sentences

  • Explain the specific issue or problem in one or more sentences

// Description
The function does not validate whether the returned updatedAt timestamp is recent.
Chainlink feeds can become:
1 Frozen
2 Paused
3 Stale
4 Unresponsive
Without a staleness threshold, the contract may rely on outdated pricing data.
//Root Cause
@> function getRoundData(address _token)
public
view
returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound)
{
address priceFeedAddress = priceFeeds[_token];
require(priceFeedAddress != address(0), "Price feed not set for token");
AggregatorV3Interface priceFeed = AggregatorV3Interface(priceFeedAddress);
(roundId, answer, startedAt, updatedAt, answeredInRound) = priceFeed.latestRoundData();
}

Risk

While this issue does not allow direct oracle manipulation by an attacker, it amplifies the impact of oracle downtime, delayed updates, or feed degradation, making it a medium-likelihood risk in live environments—especially for lending, liquidation, or pricing-sensitive logic.

Impact:
If stale data price is used :

  • Impact 1 Liquidations may fail

  • Impact 2 Borrow limits may be miscalculated


Proof of Concept

Not necessary

Recommended Mitigation

- remove this code
Add this check to the affected part
+ require(updatedAt > 0, "Incomplete round");
+ require(block.timestamp - updatedAt <= MAX_DELAY, "Stale price");

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!