`UniswapV3Oracle.sol` Does Not Use `latestRoundData()` Instead of `latestAnswer()`

[code423n4]

Handle

leastwood

Vulnerability details

Impact

This issue was submitted in WildCredit's previous audit but has not been fixed, so raising the issue again. latestAnswer() is used in UniswapV3Oracle.sol over latestRoundData() to get the latest price data for WETH. There are no checks to ensure the data received is fresh.

Proof of Concept

See the chainlink documentation.

Tools Used

Previous Audit

Recommended Mitigation Steps

Consider adding the following sanity checks.

(
roundId,
rawPrice,
,
updateTime,
answeredInRound
) = AggregatorV3Interface(XXXXX).latestRoundData();
require(rawPrice > 0, "Chainlink price <= 0");
require(updateTime != 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");

[talegift]

Duplicate #55