Check for stale data before trusting Chainlink's response

zobront commented 1 year ago

Summary

Much of the math in the protocol is based on the data provided by Chainlink's ETH-USD feed.

According to Chainlink's documentation, it is important to provide additional checks that the data is fresh:

If answeredInRound is less than roundId, the answer is being carried over.
A timestamp with zero value means the round is not complete and should not be used.

Recommendation

Add the following checks to the _getEthPrice() function to ensure the data is fresh and accurate:


function _getEthPrice() public view returns (uint) {
-   ( , int price, , , ) = oracle.latestRoundData();
+   (uint80 roundID, int256 price,, uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData();
+   require(timeStamp != 0, "ChainlinkOracle::getLatestAnswer: round is not complete");
+   require(answeredInRound >= roundID, "ChainlinkOracle::getLatestAnswer: stale data");
    return price.toUint256();
}

shafu0x commented 1 year ago

fixed by https://github.com/DyadStablecoin/contracts-v3/pull/10

zobront commented 1 year ago

Fix confirmed in #10.

DyadStablecoin / contracts-v3

Check for stale data before trusting Chainlink's response #9

Summary

Recommendation