oracle - freshness of price value is not checked.

Summary

contract has chain-link oracle where the latestRoundData and getRoundData are used to fetch the price and used throughout the contract.

But the freshness of its value is not validated.

Vulnerability Detail

ChainlinkAggregator.sol has the following functions. price value is fetched and updated as ChainlinkRound for further use.

function getLatestRound(ChainlinkAggregator self) internal view returns (ChainlinkRound memory) {
    (uint80 roundId, int256 answer, , uint256 updatedAt, ) =
        AggregatorProxyInterface(ChainlinkAggregator.unwrap(self)).latestRoundData();
    return ChainlinkRound({roundId: roundId, timestamp: updatedAt, answer: answer});
}

/**
 * @notice Returns a specific round's data for a specific feed
 * @param self Chainlink Feed Aggregator to operate on
 * @param roundId The specific round to fetch data for
 * @return Specific round's data
 */
function getRound(ChainlinkAggregator self, uint256 roundId) internal view returns (ChainlinkRound memory) {
    (, int256 answer, , uint256 updatedAt, ) =
        AggregatorProxyInterface(ChainlinkAggregator.unwrap(self)).getRoundData(uint80(roundId));
    return ChainlinkRound({roundId: roundId, timestamp: updatedAt, answer: answer});
}

but, the freshness of these values are not valudated.

Impact

Stale oracle price value would be used.

Code Snippet

https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/types/ChainlinkAggregator.sol#L32-L48

Tool used

Manual Review

Recommendation

Follow the chain-link recommendation to validate the freshness of data.

sherlock-audit / 2023-05-perennial-judging

ak1 - oracle - freshness of price value is not checked. #243