search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

`CvgOracle#getPriceAggregator` may return stale or incorrect price #54

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @Madalad Submission hash (on-chain): 0xce98c416de92f0e84a62a91f90e9dd7b6aa6736e00edaeb3c0e784a894d8ec1b Severity: medium

Description:

Description

Chainlink's latestRoundData is used in CvgOracle's _getPriceAggregator function to retrieve price feed data, however there is insufficient protection against price staleness.

See here for reasons why a price feed might stop updating.

Link to code snippet: https://github.com/Cvg-Finance/hats-audit/blob/main/contracts/Oracles/CvgOracle.sol#L203

Impact

Inaccurate price data can potentially lead to loss of funds through undercollateralization and/or unfair liquidation.

Recommendation

Implement a check on the lastUpdate value and revert if the price is stale:

(, int256 chainlinkPrice, , uint256 lastUpdate, ) = aggregator.latestRoundData();
require(block.timestamp - lastUpdate < MAX_DELAY, "stale price");
0xR3vert commented 1 year ago

Hello, Thanks a lot for your attention. We already check if the aggregator price is stale in our function. In conclusion we have so to consider this issue as invalid.