Closed sherlock-admin2 closed 11 months ago
4 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because it was invalid in main contest
n33k commented:
invalid, a dup of previously reported invalid issue, https://github.com/sherlock-audit/2023-07-perennial-judging/issues/68
darkart commented:
There is a minimum price it can't go below them
polarzero commented:
Medium. This should indeed be taken into account. Another recommandation could be to include checks for the returned
timestamp
, and/or include an acceptable delay for the date of the last update.
saneryee
medium
.latestRoundData() does not update the oracle
Summary
The issue mainly concerns the use of Chainlink's latestRoundData() function to obtain external data (such as the price of ETH) without adequately checking the freshness of the data. Since this function only reads data and does not trigger an update of the Oracle, it is possible to obtain outdated data.
Vulnerability Detail
In smart contracts, latestRoundData() is used to obtain the most recent available Oracle data. This function returns a field that includes updatedAt, which is the timestamp of the last update of the data. However, relying solely on updatedAt to determine the freshness of the data is insufficient. If the Oracle has not been updated for a long time, or if the data becomes unreliable for other reasons, using such data poses risks.
Impact
If outdated or inaccurate data is used, in financial-related smart contracts (such as DeFi applications), this could lead to inaccurate asset valuations, incorrect trade prices, etc., ultimately potentially causing a loss of funds for users. This is not only a financial loss but may also lead to a loss of trust in the platform or service.
Code Snippet
root/contracts/attribute/Kept/Kept.sol#L66
Tool used
Manual Review
Recommendation
Consider adding checks on the return data with proper revert messages if the price is stale or the round is incomplete.