martin - `getPriceFromChainlink` function might return stale results

[sherlock-admin]

martin

medium

getPriceFromChainlink function might return stale results

Summary

In the PriceOracle contract, you are using Chainlink’s latestRoundData API, but there are missing checks, for example, updatedAt property is not extracted and validated.

Vulnerability Detail

Missing multiple validation checks, only price > 0 was performed which is totally insufficient.

Impact

For instance not checking how stale the answer is could lead to stale prices according to the Chainlink documentation and even to entirely drained protocols.

Code Snippet

67: (, int256 price,,,) = registry.latestRoundData(base, quote);
68: require(price > 0, "invalid price");

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L107

Tool used

Manual Review

Recommendation

Consider adding the missing checks:

-- (, int256 price,,,) = registry.latestRoundData(base, quote);

++ (uint80 roundId, int256 price, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) = registry.latestRoundData(base, quote);
++ require(roundId>= answeredInRound, “Wrong oracle data”);
++ require(answeredInRound >= roundId, "Stale price");
++ require(block.timestamp - updatedAt <= MAX_ORACLE_FRESHNESS_SECONDS>, "Last price update was too long ago.");

Duplicate of #9