cccz - Chainlink's latestRoundData might return stale or incorrect results

[sherlock-admin]

cccz

medium

Chainlink's latestRoundData might return stale or incorrect results

Summary

Chainlink's latestRoundData might return stale or incorrect results

Vulnerability Detail

On PricerInternal, we are using latestRoundData, but there is no check if the return value indicates stale data.

    function _latestAnswer64x64() internal view returns (int128) {
        (, int256 basePrice, , , ) = BaseSpotOracle.latestRoundData();
        (, int256 underlyingPrice, , , ) =
            UnderlyingSpotOracle.latestRoundData();

        return ABDKMath64x64.divi(underlyingPrice, basePrice);
    }

This could lead to stale prices according to the Chainlink documentation:

https://docs.chain.link/docs/historical-price-data/#historical-rounds
https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round

Impact

Stale prices might be used.

Code Snippet

https://github.com/sherlock-audit/2022-09-knox/blob/main/knox-contracts/contracts/pricer/PricerInternal.sol#L49-L55

Tool used

Manual Review

Recommendation

Validate data feed by:

• Checking the returned answer is not 0.
• Verify result is within an allowed margin of freshness by checking updatedAt.
• Verify answer is indeed for the last known round.

Duplicate of #137