Chainlink's latestRoundData might return stale or incorrect results

[zlsecure3]

subject

Chainlink's latestRoundData might return stale or incorrect results

description

Description: Chainlink's latestRoundData() is used but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation

• https://docs.chain.link/docs/historical-price-data/#historical-rounds

The PriceOracle._getPriceFeed() function uses Chainlink's latestRoundData() to get the latest price. However, there is no check if the return value indicates stale data.

if (feed.defaultOracle != address(0)) {
                (
                    ,
                    vars.defaultOraclePrice,
                    ,
                    vars.defaultOracleUpdatedAt,

                ) = IAggregatorV3Interface(feed.defaultOracle)
                    .latestRoundData();
            }

impact- The PriceOracle could return stale price data for the underlying asset.

recommendation

Consider adding checks for stale data.

(
                   roundId ,
                    vars.defaultOraclePrice,
                    ,
                    vars.defaultOracleUpdatedAt,
            answeredInRound

                ) = IAggregatorV3Interface(feed.defaultOracle)
                    .latestRoundData();

require(answeredInRound >= roundId, "Price stale");
require(block.timestamp - updatedAt < PRICE_ORACLE_STALE_THRESHOLD, "Price round incomplete");

locations

• https://github.com/Secure3Audit/audit_Aark_rajatbeladiya/blob/a1181c6f0c22051c5ec7536e0c47ed90499fdd6a/code/contracts/core/price-oracle/PriceOracle.sol#L152-L159

severity

Medium

damage

exploitability

category

Oracle Manipulation

---

system_generated: auditor:rajatbeladiya submission_id:1772717350