Open code423n4 opened 2 years ago
I believe this is low risk since it can have benefit do consider the price is stale when any of the 2 price is not updated.
Considering as warden's QA report.
Preserving original title as warden did not submit a QA Report and issue was downgraded by judge: Bad updatedAt returned by ChainlinkUsdWrapper.latestRoundData
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/oracles/ChainlinkUsdWrapper.sol#L56
Vulnerability details
Impact
The current code returns the following:
If we're wrapping an asset that's relatively stable to eth price, the
answer
here might not be updated constantly. By returning the startedAt of the last answer update, it's possible that this answer be considered "stale" from the protocol.Recommended Mitigation Steps
It's better to return the new
updatedAt_
at the greater of the two:updatedAt_
from eth oracle,updatedAt_
from the asset oracleThis way, if asset/eth is unchanged for a while, but there's a eth price move, we capture the correct
updatedAt
timestamp