Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: high
Likelihood: medium

Missing Staleness Check in Oracle Integration Leads to Potential Protocol Insolvency

Author Revealed upon completion

Root + Impact

Description

The StrataxOracle contract uses Chainlink's latestRoundData() but only validates that the price is positive. It fails to check the updatedAt timestamp and the answeredInRound values. This means the protocol could accept "stale" (old) prices if the oracle stops updating during market volatility.


// Root cause in the codebase with @> marks to highlight the relevant section// File: StrataxOracle.sol
// Line 64 & 94
// The code fetches price but ignores metadata (updatedAt, roundId)
(, int256 answer,,,) = priceFeed.latestRoundData();
require(answer > 0, "Invalid price from oracle");

Risk

Likelihood:

This happens during high network congestion or extreme market crashes when oracle heartbeats are missed, causing the data to lag behind the real market price.


Impact:

The protocol will allow users to borrow or trade based on outdated prices. In a market crash, this leads to bad debt as the collateral is valued higher than its actual worth, potentially bankrupting the protocol.


Proof of Concept

// Exploit Scenario:
// 1. Real market price of ETH drops from $3000 to $2000.
// 2. Chainlink update lags; latestRoundData still returns $3000.
// 3. StrataxOracle.getPrice() returns $3000 because it doesn't check 'updatedAt'.
// 4. Attacker deposits ETH and borrows assets worth $3000.
// 5. Protocol is left with collateral worth $2000 for a $3000 debt.

Recommended Mitigation

- (, int256 answer,,,) = priceFeed.latestRoundData();
+ (uint80 roundId, int256 answer,, uint256 updatedAt, uint80 answeredInRound) = priceFeed.latestRoundData();
+ require(updatedAt != 0, "Incomplete round");
+ require(answeredInRound >= roundId, "Stale price");
+ require(block.timestamp - updatedAt < 3600, "Price is too old");

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!