The absence of a round completeness check can result in stale prices and incorrect price returns, potentially causing financial losses.
The getOraclePrice() function in the oracle wrapper relies on the latestRoundData() call to fetch the price of a specific token. While the returned timestamp is validated, the round completeness is not.
As per Chainlink's documentation, this function does not produce an error if no answer is reached but instead returns 0 or outdated data. Consequently, the external Chainlink oracle, which supplies index price information, poses a risk due to its reliance on third-party data sources.
If the oracle lags or fails to be properly maintained, it could provide outdated data for index price calculations.
This could lead to stale prices and wrong price return value, or outdated price.
As a result, the functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss. The impacts vary and depends on the specific situation
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/PriceFeed.sol#L46
Vulnerability details
Impact
The absence of a round completeness check can result in stale prices and incorrect price returns, potentially causing financial losses. The getOraclePrice() function in the oracle wrapper relies on the latestRoundData() call to fetch the price of a specific token. While the returned timestamp is validated, the round completeness is not. As per Chainlink's documentation, this function does not produce an error if no answer is reached but instead returns 0 or outdated data. Consequently, the external Chainlink oracle, which supplies index price information, poses a risk due to its reliance on third-party data sources. If the oracle lags or fails to be properly maintained, it could provide outdated data for index price calculations.
This could lead to stale prices and wrong price return value, or outdated price.
As a result, the functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss. The impacts vary and depends on the specific situation
Proof of Concept
Documentattion of Chainlink
Tools Used
Manual Review
Recommended Mitigation Steps
Validate data feed for round completeness:
Assessed type
Other