bigbick123456789000 - Lack of Stale Price Checking in `_getPrice` Function

[sherlock-admin3]

bigbick123456789000

medium

Lack of Stale Price Checking in _getPrice Function

Summary

The _getPrice function in the provided contract does not include checks for stale prices obtained from the oracle adapter. This omission could lead to potential inaccuracies in trading decisions and may expose the contract to manipulation or arbitrage opportunities based on outdated price data.

Vulnerability Detail

The _getPrice function retrieves the current price from the oracle adapter based on the market's price feed ID without considering the freshness of the price data. Here's the code snippet of the function:

function _getPrice(uint256 marketId) internal view returns (uint256) {
    IAddressManager addressManager = getAddressManager();
    (uint256 price, ) = addressManager.getPythOracleAdapter().getPrice(
        addressManager.getConfig().getPriceFeedId(marketId)
    );
    return price;
}

The function simply fetches the price without verifying its timeliness or checking for updates. This lack of validation leaves the contract vulnerable to stale prices, which may result from delays in oracle updates or manipulation of price feeds.

Impact

One potential impact of this vulnerability is that traders relying on outdated or stale price data may make incorrect trading decisions, leading to financial losses. Moreover, arbitrageurs could exploit price discrepancies caused by stale data, resulting in inefficient markets and reduced liquidity.

Code Snippet

#L530-L536

Tool used

Manual Review

Recommendation

Incorporate mechanisms to check the freshness of price data before using it for trading decisions.

Duplicate of #24

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid