PriceOracle#getPriceFromChainlink may return stale data
Summary
getPriceFromChainlink make the registry.latestRoundData subcall but only validates the price. It doesn't validate when price was last updated. Chainlink oracle have a built in heartbeat and data that has been updated outside of this window is stale and cannot be trusted.
The above lines never validate when the price was last updated allowing for it to use stale data. Using outdated price data can lead to over borrowing or unfair liquidation.
Impact
Contract can consume outdated information leading to incorrect prices
0x52
medium
PriceOracle#getPriceFromChainlink may return stale data
Summary
getPriceFromChainlink make the registry.latestRoundData subcall but only validates the price. It doesn't validate when price was last updated. Chainlink oracle have a built in heartbeat and data that has been updated outside of this window is stale and cannot be trusted.
Vulnerability Detail
PriceOracle.sol#L66-L72
The above lines never validate when the price was last updated allowing for it to use stale data. Using outdated price data can lead to over borrowing or unfair liquidation.
Impact
Contract can consume outdated information leading to incorrect prices
Code Snippet
PriceOracle.sol#L66-L72
Tool used
Manual Review
Recommendation
Validate the update time to make sure it is within the heartbeat period.
Duplicate of #9