Chainlink `latestRoundData` may return an stale result

[hats-bug-reporter[bot]]

Github username: -- Submission hash (on-chain): 0x1f6290600206dafdd983c532db42e6fa6d92071f459decc20fbcaf099fc54647 Severity: medium

Description: Description\ Chainlink's latestRoundData is used here to retrieve price feed data; however, there is insufficient protection against price staleness.

Return arguments other than int256 answer are necessary to determine the validity of the returned price, as it is possible for an outdated price to be received. See here for reasons why a price feed might stop updating.

The return value updatedAt contains the timestamp at which the received price was last updated, and can be used to ensure that the price is not outdated. See more information about latestRoundID in the Chainlink docs. Inaccurate price data can lead to functions not working as expected and/or loss of funds.

Code\ https://github.com/Cvg-Finance/hats-audit/blob/da48577d2f42fa8c2e35bb7223208ea6ba88012e/contracts/Oracles/CvgOracle.sol#L202-L205

Recommendation\ Add a check for the updatedAt returned value from latestRoundData.

[shalbe-cvg]

Hello, Thanks a lot for your attention.

The verification allowing us not to get a stale price from Chainlink is already implemented under another function of the contract: _getAndVerifyOracleAndAggregatorPrices.

We have so to consider this issue as Invalid.