mgf15 - Chainlink's `latestRoundData` might return stale or incorrect results

[sherlock-admin3]

mgf15

medium

Chainlink's latestRoundData might return stale or incorrect results

Summary

Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:

https://docs.chain.link/docs/historical-price-data/#historical-rounds

Vulnerability Detail

The ChainlinkPriceOracle._getFeedValue function uses Chainlink's latestRoundData() to get the latest price. However, there is no check if the return value indicates stale data.

Impact

The Pricer could return stale price data for the underlying asset.

Code Snippet

function _getFeedValue(address priceFeedAddr) internal view returns (OracleValue memory datum) {
        AggregatorV3Interface priceFeed = AggregatorV3Interface(priceFeedAddr);
        /*
            latestRoundData SHOULD raise "No data present"
            if they do not have data to report, instead of returning unset values
            which could be misinterpreted as actual reported values.
        */
        (, int256 answer, , uint256 updatedAt, ) = priceFeed.latestRoundData();

        if (answer < 0) {
            revert PriceNegative();
        }

        datum.value = AmountsMath.wrapDecimals(uint256(answer), priceFeed.decimals());
        datum.lastUpdate = updatedAt;
    }

https://github.com/sherlock-audit/2024-02-smilee-finance/blob/3241f1bf0c8e951a41dd2e51997f64ef3ec017bd/smilee-v2-contracts/src/providers/chainlink/ChainlinkPriceOracle.sol#L110

Tool used

Manual Review

Recommendation

Consider adding checks for stale data.

[sherlock-admin4]

3 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, chainlink oracle is trusted

tsvetanovv commented:

According to Smilee Readme and Sherlock documentation this issue type is invalid

takarez commented:

invalid