Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation
The AggregatorV3Interface(_quotePriceFeed).latestRoundData() function uses Chainlink's latestRoundData() to get the latest price. However, there is no check if the return value indicates stale data.
Tools Used
Manual review
Recommended Mitigation Steps
Consider checking the oracle responses updatedAt and RoundId value after calling out to Chainlink.AggregatorV3Interface(_quotePriceFeed).latestRoundData() verifying that the result is within an allowed margin of freshness.
Smart contracts should always check the updatedAt and RoundID parameter returned from latestRoundData() and compare it to a staleness threshold
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/PriceFeed.sol#L46
Vulnerability details
Impact
Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation
The AggregatorV3Interface(_quotePriceFeed).latestRoundData() function uses Chainlink's latestRoundData() to get the latest price. However, there is no check if the return value indicates stale data.
Tools Used
Manual review
Recommended Mitigation Steps
Consider checking the oracle responses updatedAt and RoundId value after calling out to Chainlink.AggregatorV3Interface(_quotePriceFeed).latestRoundData() verifying that the result is within an allowed margin of freshness.
Smart contracts should always check the updatedAt and RoundID parameter returned from latestRoundData() and compare it to a staleness threshold
Assessed type
Oracle