Chainlink's latestRoundData can return stale or incorrect result

Summary

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L48 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L23 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWETH.sol#L23

Vulnerability Detail

Impact

In StableOracleDAI.sol, StableOracleWBTC.sol and StableOracleWETH.sol is used latestRoundData(), but there is no check if the return value indicates stale data. This could lead to stale prices

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L48

(, int256 price, , , ) = priceFeedDAIETH.latestRoundData();

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L23

 (, int256 price, , , ) = priceFeed.latestRoundData();

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWETH.sol#L23

(, int256 price, , , ) = priceFeed.latestRoundData();

Tool used

Manual Review

Recommendation

Add checks for the returned data after calling latestRoundData()

(uint80 roundID, int256 price, uint256 timestamp, uint256 updatedAt, ) = priceFeed.latestRoundData();
require(updatedAt >= roundID, "Stale price");
require(timestamp != 0,"Round not complete");
require(price > 0,"Chainlink answer reporting 0");

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

049.md

049.md

Chainlink's latestRoundData can return stale or incorrect result

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

049.md

Latest commit

History

049.md

File metadata and controls

Chainlink's latestRoundData can return stale or incorrect result

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation