[NAZ-M1] Chainlink's latestRoundData
Might Return Stale Results
#441
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/PRICE.sol#L161
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/PRICE.sol#L170
Vulnerability details
Impact
Across these contracts, you are using Chainlink's
latestRoundData
API, but there is only a check onupdatedAt
. This could lead to stale prices according to the Chainlink documentation:The result of
latestRoundData
API will be used across various functions, therefore, a stale price from Chainlink can lead to loss of funds to end-users.Tools Used
Manual Review
Recommended Mitigation Steps
Consider adding the missing checks for stale data.
For example:
The text was updated successfully, but these errors were encountered: