Use of deprecated Chainlink function `latestAnswer`

[code423n4]

Handle

shw

Vulnerability details

Impact

According to Chainlink's documentation, the latestAnswer function is deprecated. This function does not error if no answer has been reached but returns 0, causing an incorrect price fed to the Buoy3Pool.

Proof of Concept

Referenced code: Buoy3Pool.sol#L207 Buoy3Pool.sol#L214-L216

Referenced documentation: Chainlink - Deprecated API Reference Chainlink - Migration Instructions Chainlink - API Reference

Recommended Mitigation Steps

Use the latestRoundData function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example:

(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData();
require(answeredInRound >= roundID, "...");
require(timeStamp != 0, "...");

[kitty-the-kat]

disagree with severity (Low risk) Issue would cause deposits and withdrawals to stop, no funds lost

[ghoul-sol]

In my opinion halting the protocol deserves medium risk. While no funds are lost, from brand perspective it's a second worst thing. Keeping as medium risk.