No check for stale price may lead to unexpected swap output
Summary
Unitas Protocols intends to use their own oracle, which has functionality to record the timestamp at which the given price was fed, but it does not uses these to check weather price received is stale or not. As the core functionality of protocol is to protect against volatility of emerging market currencies with respect to US Dollar, it is very important to have fresh price feed, otherwise it can be exploited during rare but still possible times of volatility.
Vulnerability Detail
Swap functionality of protocol uses the getLatestPrice() function which returns the latest price.
But this price can be outdated specially during the time of high volatility. Better approach would be to used the also fetch the timestamp at which price was submitted, and using that timestamp check weather the price is fresh enough to consider for further computation based on the predetermined criterion.
XOracle (implemented and maintained by protocol) does have function which also returns the timestamp at which price was fed.
It would be better to use this timestamp to compare it with current timestamp to check for freshness of price and then only use price if it is not stale.
Impact
User may loss funds because of incorrect swap calculation due to stale price being used.
Use getPrice() function of oracle to get the latest price along with timestamp at which it was registered and then implement check using that to verify the weather price is not stale or not.
Norah
medium
No check for stale price may lead to unexpected swap output
Summary
Unitas Protocols intends to use their own oracle, which has functionality to record the timestamp at which the given price was fed, but it does not uses these to check weather price received is stale or not. As the core functionality of protocol is to protect against volatility of emerging market currencies with respect to US Dollar, it is very important to have fresh price feed, otherwise it can be exploited during rare but still possible times of volatility.
Vulnerability Detail
Swap functionality of protocol uses the getLatestPrice() function which returns the latest price.
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L439
But this price can be outdated specially during the time of high volatility. Better approach would be to used the also fetch the timestamp at which price was submitted, and using that timestamp check weather the price is fresh enough to consider for further computation based on the predetermined criterion.
XOracle (implemented and maintained by protocol) does have function which also returns the timestamp at which price was fed.
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/XOracle.sol#L49-L56
It would be better to use this timestamp to compare it with current timestamp to check for freshness of price and then only use price if it is not stale.
Impact
User may loss funds because of incorrect swap calculation due to stale price being used.
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/XOracle.sol#L58-L60
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L417-L465
Tool used
Manual Review
Recommendation
Use getPrice() function of oracle to get the latest price along with timestamp at which it was registered and then implement check using that to verify the weather price is not stale or not.
Duplicate of #150