Use of deprecated Chainlink function "latestAnswer()"

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/TradingLibrary.sol#L113

Vulnerability details

Impact

The protocol uses Chainlink to verify price feeds. According to the documentation:

Prices provided by the oracle network are also compared to Chainlink's public price feeds for additional security. 
If prices have more than a 2% difference the transaction is reverted.

In the current implementation, the API used to check the Chainlink price feed is deprecated and can return stale prices.
Therefore, 2% prices difference can happen more frequently as oracle network prices can be ahead of Chainlink latestAnswer().

This is especially true in:

1. Volatile pairs.
2. Events that cause assets to drop/increase rapidly.

Proof of Concept

The function verifyPrice is used to validate the price feed during trading operations.
It then validates that the price received from the oracle network is not more or less then 2% from the Chainlink price result.

verifyPrice in TradingLibrary:
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/TradingLibrary.sol#L113

    function verifyPrice(
        uint256 _validSignatureTimer,
        uint256 _asset,
        bool _chainlinkEnabled,
        address _chainlinkFeed,
        PriceData calldata _priceData,
        bytes calldata _signature,
        mapping(address => bool) storage _isNode
    )
        external view
    {
-------
        if (_chainlinkEnabled && _chainlinkFeed != address(0)) {
            int256 assetChainlinkPriceInt = IPrice(_chainlinkFeed).latestAnswer();
            if (assetChainlinkPriceInt != 0) {
                uint256 assetChainlinkPrice = uint256(assetChainlinkPriceInt) * 10**(18 - IPrice(_chainlinkFeed).decimals());
                require(
                    _priceData.price < assetChainlinkPrice+assetChainlinkPrice*2/100 &&
                    _priceData.price > assetChainlinkPrice-assetChainlinkPrice*2/100, "!chainlinkPrice"
                );
            }
        }
    }

As you can see in the above function: IPrice(_chainlinkFeed).latestAnswer(); is used.

latestAnswer is deprecated by Chainlink and should not be used:
https://docs.chain.link/data-feeds/price-feeds/api-reference/#latestanswer

latestAnswer can return stale prices, there is no valid way to check the time of the received price. latestRoundData should be used.

Tools Used

VS Code

Recommended Mitigation Steps

Use latestRoundData instead of latestAnswer.
When latestRoundData you can validate that the timestamp of the price received is recent and matching to _validSignatureTimer threshold you already check the oracle network price data on.

If price is stale, either revert the transaction or don't check the 2% difference.

Additionally round completeness should also be checked

[c4-judge]

GalloDaSballo marked the issue as duplicate of #655

[c4-judge]

GalloDaSballo marked the issue as satisfactory