The age of exchange rates is not checked, which can result in situations where old exchange rates are used.
Vulnerability Detail
_calculateSecondaryDebt calls buildExchangeRate, which queries the oracle. However, the updatedAt timestamp is ignored, meaning that the returned rate can be arbitrarily old.
Impact
When the exchange rate was not updated in a long time, this enables arbitrage opportunities, as Notional is using a wrong exchange rate.
Lambda
medium
ExchangeRate age not checked
Summary
The age of exchange rates is not checked, which can result in situations where old exchange rates are used.
Vulnerability Detail
_calculateSecondaryDebtcallsbuildExchangeRate, which queries the oracle. However, theupdatedAttimestamp is ignored, meaning that the returned rate can be arbitrarily old.Impact
When the exchange rate was not updated in a long time, this enables arbitrage opportunities, as Notional is using a wrong exchange rate.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L412
Tool used
Manual Review
Recommendation
Ensure that the exchange rate is not too old.
Duplicate of #133