search

sherlock-audit / 2024-03-arrakis-judging

2 stars 2 forks source link

mgf15 - MISSING STALENESS CHECKS #75

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

mgf15

medium

MISSING STALENESS CHECKS

Summary

MISSING STALENESS CHECKS

Vulnerability Detail

Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. there are no checks against the roundID and oraclePriceUSDInt fields.

Impact

Failing to validate the freshness of Chainlink data could result in the CoreChainlinkFeed returning stale or outdated price data for assets. This can lead to incorrect pricing information being used in critical financial calculations within the protocol.

Code Snippet

https://github.com/sherlock-audit/2024-03-arrakis/blob/main/valantis-hot/src/HOTOracle.sol#L138C5-L149C6

    function _getOraclePriceUSD(
        AggregatorV3Interface feed,
        uint32 maxOracleUpdateDuration
    ) internal view returns (uint256 oraclePriceUSD) {
        (, int256 oraclePriceUSDInt, , uint256 updatedAt, ) = feed.latestRoundData();

        if (block.timestamp - updatedAt > maxOracleUpdateDuration) {
            revert HOTOracle___getOraclePriceUSD_stalePrice();
        }

        oraclePriceUSD = oraclePriceUSDInt.toUint256();
    }

Tool used

Manual Review

Recommendation

ChainlinkAdapterOracle should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds.