The FujiOracle contract uses Chainlink's latestRoundData API, but not check the returned data
According to the Chainlink documentation, this could lead to stale prices:
The result of latestRoundData API will be used across various functions, therefore, a stale price from Chainlink can lead to loss of funds to end-users.
Attack scenario
The BorrowingVault contract use this returned data to:
Git branch: H01
Affected smart contract
https://github.com/Fujicracy/fuji-v2/blob/1b939ec84af137db430fc2aa1b4c6f15e5254003/packages/protocol/src/FujiOracle.sol#L113-L115
Description
The FujiOracle contract uses Chainlink's
latestRoundData
API, but not check the returned data According to the Chainlink documentation, this could lead to stale prices:The result of latestRoundData API will be used across various functions, therefore, a stale price from Chainlink can lead to loss of funds to end-users.
Attack scenario
The BorrowingVault contract use this returned data to:
asset
maxWithdraw
andmaxRedeem
All these functions are critical, in case of the returned price is stale could lead to a big loss for users, such as early liquidation
Recommendation
Consider adding the missing checks for stale data, for example: