Closed sherlock-admin4 closed 7 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
According to Smilee Readme and Sherlock documentation this issue type is invalid
takarez commented:
invalid; this is invalid according to sherlock rules VII. Num 17
calpaliu
medium
Chainlink's
latestRoundData
might return stale or incorrect resultsSummary
The provided Solidity code snippet retrieves data from an oracle contract to obtain the latest price feed information. However, it lacks explicit error handling for scenarios where the data is stale, which could lead to inaccurate results. Additionally, it does not validate the roundID, leaving the code vulnerable to potential manipulation or returning stale data from the oracle.
Vulnerability Detail
The code currently verifies the freshness of data solely based on the timestamp (updatedAt). However, without validating the roundID, there's a risk of returning stale data or being misled by outdated information. Stale data could occur if the contract has updated its timestamp but not its roundID, leading to erroneous interpretations of the data's freshness.
Impact
The absence of explicit error handling for stale data and the lack of validation for the roundID increase the likelihood of returning outdated or inaccurate information. This vulnerability could result in incorrect decisions or actions based on unreliable data, potentially leading to financial losses, system malfunctions, or security vulnerabilities.
Code Snippet
Tool Used
Manual Review
Recommendation
Add a check to ensure that the retrieved
roundID
matches theansweredInRound
value returned by the oracle contract. This validation ensures that the data corresponds to the latest round, mitigating the risk of returning stale data or being misled by outdated information.