Closed sherlock-admin2 closed 2 months ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Protocol validate chainlink oracle staleness inside the trading module with their own staleness setting across all vaults
4b
Medium
Chainlink feed not validated in
PendlePTOracle
Summary
In
PendlePTOracle::_calculateBaseToQuote
we can observe that there's a L2 squencer uptime check but there's no check to verify the freshness of that data on L1 networksVulnerability Detail
This internal function
_calculateBaseToQuote
is called in external functions likelatestRoundData
,latestAnswer
andlatestTimestamp
as we see in the internal function there are no checks to validate if the data being returned is stale or not, same applies to these external functions. Rather it only checks if it is greater than 0 which is a flawed logic because a stale price can be greater than zero but doesn't make it the right price.Impact
Stale data can be returned
Code Snippet
Tool used
Manual Review
Recommendation
Implement checks to verify freshness of data