Cvx3CrvOracle misses sanity checks for Chainlink responses

[code423n4]

Handle

kenzo

Vulnerability details

When querying Chainlink for stable prices, Cvx3CrvOracle doesn't run sanity checks against stale or incomplete results. This is unlike Yield's ChainlinkMultiOracle, which does execute those checks.

Impact

Stale or incorrect results might be returned.

Proof of Concept

When querying Chainlink, Cvx3CrvOracle only checks that the price is bigger than 0:

        (, int256 daiPrice, , , ) = DAI.latestRoundData();
        (, int256 usdcPrice, , , ) = USDC.latestRoundData();
        (, int256 usdtPrice, , , ) = USDT.latestRoundData();

        require(daiPrice > 0 && usdcPrice > 0 && usdtPrice > 0,
            "Chainlink pricefeed reporting 0");

But further checks are needed to verify the price is not stale, as Yield's ChainlinkMultiOracle does:

        (roundId, price,, updateTime, answeredInRound) = AggregatorV3Interface(source.source).latestRoundData();
        require(price > 0, "Chainlink price <= 0");
        require(updateTime != 0, "Incomplete round");
        require(answeredInRound >= roundId, "Stale price");

Recommended Mitigation Steps

Add the missing sanity checks.

[iamsahu]

136