latestRoundData() in the CvgV3Aggregator oracle can return very stale data

Github username: @https://github.com/maarcweiss Submission hash (on-chain): 0x1ca6053f7ace82b29e7452ff449275e87ac98f019064c42f2f6561cca4d21740 Severity: medium

Description:

TITLE latestRoundData() in the CvgV3Aggregator oracle can return very stale data

Currently the owner is able to update the CvgV3Aggregator price. This price is set as the latestPrice variable and can be fetched through latestRoundData() function. The lastUpdate variable is also updated when the price is updated.


    function setLatestPrice(int256 _newPrice) external onlyOwner {
        latestPrice = _newPrice;
        lastUpdate = block.timestamp;
        emit SetLatestPrice(_newPrice, block.timestamp);
    }

When fetching after this prices, the latestRoundData() function will return the latest price.

    function latestRoundData()
        external
        view
        override
        returns (
            uint80 roundId,
            int256 answer,
            uint256 startedAt,
            uint256 updatedAt,
            uint80 answeredInRound
        )
    {
       return (0, latestPrice, 0, lastUpdate, 0);
    }

Currently, there is no safeguard to ensure that the price is not stale. Even if there is an off-chain component that periodically updates the price, there is no guarantee that the price is not stale in the contract. If there were any issues in the future with the off-chain component, the contract would return a very stale price.

SEVERITY

Medium

A LINK TO THE GITHUB CODE

https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/blob/f43c5d9bc6b30c9f488e34836f09dc04d8f7361f/contracts/Oracles/CvgV3Aggregator.sol#L59

SOLUTION

Add a similar safeGuard than what Chainlink has. Do check that the latest timestamp is not older than a value you are safe with. Could be something around 30 seconds

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777