Oracle prices could be not fresh

[code423n4]

Handle

0x1f8b

Vulnerability details

Impact

Unsafe oracle call.

Proof of Concept

The contract Cvx3CrvOracle doesn't check that the data is fress, it call the method latestRoundData, this method allow you to run some extra validations, but these validations were not made.

According to the chain.link documentation:

You can check answeredInRound against the current roundId. If answeredInRound is less than roundId, the answer is being carried over. If answeredInRound is equal to roundId, then the answer is fresh.

So it's required to check something like this:

        (roundId, daiPrice, , updateTime, answeredInRound ) = DAI.latestRoundData();
        require(daiPrice > 0, "Chainlink price <= 0");
        require(updateTime != 0, "Incomplete round");
        require(answeredInRound >= roundId, "Stale price");

Reference:

• https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
• https://docs.chain.link/docs/price-feeds-api-reference/#latestrounddata

Tools Used

Manual review.

Recommended Mitigation Steps

Apply the mentioned changes.

[devtooligan]

dup of #2

[GalloDaSballo]

Duplicate of #136