lucas-manuel
commented
3 years ago We will add this check, but disagree that this is a high severity bug.
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago We will add this check, but disagree that this is a high severity bug.
lucas-manuel
commented
3 years ago Especially since we will be using BTC and ETH oracles to start, it is very rare that there will be stale data.
Arachnid
commented
3 years ago Since the contract only asks for latest data, incomplete rounds should be impossible, so we can discount them. Stale data is possible; I would rate this as Likelihood=LOW (it'll be difficult to make ChainLink oracles go stale) and Impact=Medium (this could only be used to create arb opportunities on loan collateral or liquidations, which will be limited to the price change during the stale period), resulting in a Severity=Low.
Handle
@cmichelio
Vulnerability details
Vulnerability Details
There is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:
Impact
The price oracle might return unreliable price data which can lead to a variety of different issues in the protocol, for example, for liquidating more staker & lender tokens than required at fair market price.
Recommended Mitigation Steps
Add missing checks for stale data. See example here.