Oracle data feed is insufficiently validated

[code423n4]

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L523-L537

Vulnerability details

Impact

Price can be stale and can lead to wrong exchangeRate between asset and collateral

Proof of Concept

Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Price can be stale and can lead to wrong exchangeRate between asset and collateral

if (oracleMultiply != address(0)) {
    (, int256 _answer, , , ) = AggregatorV3Interface(oracleMultiply).latestRoundData();
    if (_answer <= 0) {
        revert OracleLTEZero(oracleMultiply);
    }
    _price = _price * uint256(_answer);
}

if (oracleDivide != address(0)) {
    (, int256 _answer, , , ) = AggregatorV3Interface(oracleDivide).latestRoundData();
    if (_answer <= 0) {
        revert OracleLTEZero(oracleDivide);
    }
    _price = _price / uint256(_answer);
}

Recommended Mitigation Steps

Validate data feed

if (oracleMultiply != address(0)) {
    (uint80 roundID, int256 _answer, , uint256 timestamp, uint80 answeredInRound) = AggregatorV3Interface(oracleMultiply).latestRoundData();
    if (_answer <= 0) {
        revert OracleLTEZero(oracleMultiply);
    }
    require(answeredInRound >= roundID, "ChainLink: Stale price");
    require(timestamp > 0, "ChainLink: Round not complete");
    _price = _price * uint256(_answer);
}

if (oracleDivide != address(0)) {
    (uint80 roundID, int256 _answer, , uint256 timestamp, uint80 answeredInRound) = AggregatorV3Interface(oracleDivide).latestRoundData();
    if (_answer <= 0) {
        revert OracleLTEZero(oracleDivide);
    }
    require(answeredInRound >= roundID, "ChainLink: Stale price");
    require(timestamp > 0, "ChainLink: Round not complete");
    _price = _price / uint256(_answer);
}

[0xA5DF]

Duplicate of #10

[amirnader-ghazvini]

Duplicate of #179