Returned values of Chainlink Oracle are not verified

Summary

Chainlink Oracle returned values are not handled properly.

Vulnerability Detail

Chainlink oracle return values are not handled properly, the priceFeed will return the following variables:

roundId
startedAt
timeStamp -answeredInRound

These returned values are meant to be used to do some extra checks before updating the price. By just using the answer, the contract may get stale prices and incomplete rounds.

Impact

The returned price can be outdated.

Code Snippet

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L67

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L107

Tool used

Manual Review

Recommendation

-   (, int256 price, , , ) = registry.latestRoundData(base, quote));
+   (uint80 roundID, int256 price, , uint256 timestamp, uint80 answeredInRound) = registry.latestRoundData(base, quote));
+   require(answer > 0, "" Chainlink price <= 0"");
+   require(answeredInRound >= roundID , "" Stale price "");
+   require(timestamp != 0, "" Round not complete "");"

Duplicate of #9

sherlock-audit / 2023-05-ironbank-judging

gkrastenov - Returned values of Chainlink Oracle are not verified #469