search

sherlock-audit / 2024-03-arrakis-judging

2 stars 2 forks source link

Patreeciy - Chainlink’s latestRoundData might return stale or incorrect results #38

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

Patreeciy

medium

Chainlink’s latestRoundData might return stale or incorrect results

Summary

Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:

https://docs.chain.link/docs/historical-price-data/#historical-rounds

Vulnerability Detail

The _getOraclePriceUSD function uses Chainlink's latestRoundData() to get the latest price. However, there is no check if the return value indicates stale data.

Impact

The _getOraclePriceUSD could return stale price data for the underlying asset.

Code Snippet

https://github.com/sherlock-audit/2024-03-arrakis/blob/main/valantis-hot/src/HOTOracle.sol#L142 

function _getOraclePriceUSD(
        AggregatorV3Interface feed,
        uint32 maxOracleUpdateDuration
    ) internal view returns (uint256 oraclePriceUSD) {
        (, int256 oraclePriceUSDInt, , uint256 updatedAt, ) = feed.latestRoundData();
        if (block.timestamp - updatedAt > maxOracleUpdateDuration) {
            revert HOTOracle___getOraclePriceUSD_stalePrice();
        }
        oraclePriceUSD = oraclePriceUSDInt.toUint256();
    }

Tool used

Manual Review

Recommendation

Add the following checks:

( roundId, oraclePriceUSDInt, , updatedAt, answeredInRound ) = feed.latestRoundData();
require(oraclePriceUSDInt> 0, "Chainlink price <= 0");
require(updatedAt!= 0, "Incomplete round");
require(answeredInRound >= roundId, "Stale price");