The method .latestRoundData() on an oracle returns the latest updated price from the oracle, but this is not the current price of an asset. To get an accurate current price you need to query it by calling the oracle and waiting for a callback to fulfill the request.
Inaccurate price data could quickly lead to a large loss of funds. Suppose the price of an asset changes downward 5% but your oracle is not updated.
jack-the-pug
commented
2 years ago
Handle
Jujic
Vulnerability details
Impact
The method .latestRoundData() on an oracle returns the latest updated price from the oracle, but this is not the current price of an asset. To get an accurate current price you need to query it by calling the oracle and waiting for a callback to fulfill the request.
Inaccurate price data could quickly lead to a large loss of funds. Suppose the price of an asset changes downward 5% but your oracle is not updated.
Proof of Concept
https://github.com/code-423n4/2021-12-vader/blob/00ed84015d4116da2f9db0c68db6742c89e73f65/contracts/lbt/LiquidityBasedTWAP.sol#L86
Tools Used
Remix
https://github.com/code-423n4/2021-08-notional-findings/issues/18
Recommended Mitigation Steps
Recommend not fetching the latest price (having to call the oracle to update the price instead), and then waiting for the callback.