Check for stale data before trusting Chainlink's response

Summary

Lack of checks for round completeness may result in the utilization of stale prices, leading to incorrect price return values or outdated pricing information. Consequently, functions that depend on accurate price feeds may not operate as intended, potentially resulting in financial losses.

Vulnerability Detail

As Chainlink recommends:

Your application should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it. If your application detects that the reported answer is not updated within the heartbeat or within time limits that you determine are acceptable for your application, pause operation or switch to an alternate operation mode while identifying the cause of the delay.

So it is recommended to use extra informations provided in latestRoundData function, such as:

If answeredInRound is less than roundId, the answer is being carried over.
A timestamp with zero value means the round is not complete and should not be used.

Impact

Functions that depend on accurate price feeds may not operate as intended, potentially resulting in financial losses.

Code Snippet

PriceOracle.sol #L67

(, int256 price,,,) = registry.latestRoundData(base, quote);

PriceOracle.sol #L107

(, int256 price,,,) = registry.latestRoundData(aggrs[i].base, aggrs[i].quote);

Tool used

Manual Review

Recommendation

Instead of just taking price from Chainlinks' latestRoundData() function, get all return values, and to make sure that the data is not stale, use checks such as:

require(timeStamp != 0);
require(answeredInRound >= roundID);

before returning price.

Duplicate of #9

sherlock-audit / 2023-05-ironbank-judging

Kose - Check for stale data before trusting Chainlink's response #466