Although callers of ChainlinkUsd#latestRoundData can check for a nonzero price, they can't verify that the ETH oracle price used in this conversion was returned in a recent round. If the ETH oracle returns a stale price, the wrapper may return an inaccurate conversion.
Recommendation: Validate returned ETH price using roundId and answeredInRound.
JeeberC4
commented
2 years ago
Originally submitted by warden horsefacts in https://github.com/code-423n4/2022-04-backd-findings/issues/199, duplicate of https://github.com/code-423n4/2022-04-backd-findings/issues/17.
Missing freshness validation in ETH price oracle
The
ChainlinkUsdWrapper#_ethPrice()function does not check for a nonzero answer or validate that the price was returned in a recent round:ChainlinkUsdWrapper#_ethPriceAlthough callers of
ChainlinkUsd#latestRoundDatacan check for a nonzero price, they can't verify that the ETH oracle price used in this conversion was returned in a recent round. If the ETH oracle returns a stale price, the wrapper may return an inaccurate conversion.Recommendation: Validate returned ETH price using
roundIdandansweredInRound.