In the ChainlinkOracle.sol file, in the function getChainlinkPrice(AggregatorV3Interface feed), there is the check require(updatedAt != 0, "Round is in incompleted state");. However, there is no check to see that the price is recent and acceptable. If there is a problem with the oracle, that will result in outdated pricing data being returned. As a result of this, critical calculations for allowed borrowing and liquidations would become inaccurate. It might become possible to liquidate safe positions or take out under-collateralized borrows.
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check to see if the price is recent and acceptable.
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Oracles/ChainlinkOracle.sol#L97-L113
Vulnerability details
Impact
In the ChainlinkOracle.sol file, in the function getChainlinkPrice(AggregatorV3Interface feed), there is the check require(updatedAt != 0, "Round is in incompleted state");. However, there is no check to see that the price is recent and acceptable. If there is a problem with the oracle, that will result in outdated pricing data being returned. As a result of this, critical calculations for allowed borrowing and liquidations would become inaccurate. It might become possible to liquidate safe positions or take out under-collateralized borrows.
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check to see if the price is recent and acceptable.
Assessed type
Oracle