There is no check in the getLatestPrice() function of the oracles for round completeness, or the returned timestamp, and this could lead to stale, outdated, or wrong price return value, which could affect other functions that depend on the getLatestPrice() function.
Vulnerability Detail
In the XOracle.sol contract the getLatestPrice
function getLatestPrice(address asset) public view returns (uint256) {
return prices[asset].price;
}
According to Chainlink's documentation, this function does not error if no answer has been reached but returns 0 or outdated round data. The external Chainlinkoracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, the oracle could fall behind or otherwise fail to be maintained, resulting in outdated data being fed to the index price calculations. Oracle's reliance has historically resulted in crippled on-chain systems , and complications that lead to these outcomes can arise from things as simple as network congestion .
More Information/Reason for this Click this
Impact
This could lead to stale prices and wrong price return value, or outdated prices.
As a result, the functions that rely on accurate price feed might not work as expected due to wrong calculations made with stale prices, which sometimes can lead to fund loss. The impacts vary and depend on specific situations.
okolicodes
medium
Stale Prices could be returned due to lack of rounding chek on the getLatestPrie Function.
Bug origin
Summary
There is no check in the
getLatestPrice()function of theoraclesforround completeness, or the returnedtimestamp, and this could lead tostale,outdated, orwrong price return value, which could affect other functions that depend on thegetLatestPrice()function.Vulnerability Detail
In the
XOracle.solcontract thegetLatestPriceAccording to
Chainlink'sdocumentation, this function does not error if no answer has been reached but returns 0 or outdated round data. The externalChainlinkoracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, theoraclecould fall behind or otherwise fail to be maintained, resulting in outdated data being fed to theindexprice calculations.Oracle'sreliance has historically resulted in crippled on-chain systems , and complications that lead to these outcomes can arise from things as simple as network congestion . More Information/Reason for this Click thisImpact
This could lead to
stale pricesandwrong price return value, oroutdated prices. As a result, the functions that rely on accurateprice feedmight not work as expected due to wrong calculations made withstale prices, which sometimes can lead tofundloss. The impacts vary and depend on specific situations.Code Snippet
getLatestPrice~ https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/XOracle.sol#LL49C4-L56C6Tool used
Manual Review
Recommendation
Validate
getLatestPrice()forround completenessand for returnedtimestamp