HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators
Summary
HOTOracle::getSqrtOraclePriceX96 is relying on latestRoundData() but the returned data isn’t properly checked potentially returning stale or incorrect result.
Vulnerability Detail
HOTOracle::getSqrtOraclePriceX96 is relying on Chainlink latestRoundData() function to get the price in USD: HOTOracle.sol#L142.
However, according to Chainlink documentation, the returned data should be checked to ensure no stale or incorrect result:
cergyk
medium
HOTOracle::getSqrtOraclePriceX96 Missing checks on values returned by Chainlink aggregators
Summary
HOTOracle::getSqrtOraclePriceX96
is relying onlatestRoundData()
but the returned data isn’t properly checked potentially returning stale or incorrect result.Vulnerability Detail
HOTOracle::getSqrtOraclePriceX96
is relying on ChainlinklatestRoundData()
function to get the price in USD: HOTOracle.sol#L142.However, according to Chainlink documentation, the returned data should be checked to ensure no stale or incorrect result:
In the current implementation, only
updatedAt
is checked, which could lead to stale or incorrect result: HOTOracle.sol#L144-L146.Here’s an example of a previous report related to this issue: https://github.com/sherlock-audit/2023-02-blueberry-judging/issues/94.
Impact
HOTOracle::_getOraclePriceUSD
could return stale or incorrect data, thus wrongly calculating sqrt oracle price.Code Snippet
Tool used
Manual Review, Solodit
Recommendation
Add the below checks for returned data: HOTOracle.sol#L138-L149