Skip to content

Latest commit

 

History

History
43 lines (25 loc) · 1.74 KB

062.md

File metadata and controls

43 lines (25 loc) · 1.74 KB

shaka

high

Chainlink price feed data could be stale

Summary

Chainlink price feed data could be stale.

Vulnerability Detail

It is not checked that the updatedAt value returned by priceFeed.latestRoundData() is recent enough. This can lead to the use of outdated price data.

As per Chainlink docs:

Your application should track the latestTimestamp variable or use the updatedAt value from the latestRoundData() function to make sure that the latest answer is recent enough for your application to use it. If your application detects that the reported answer is not updated within the heartbeat or within time limits that you determine are acceptable for your application, pause operation or switch to an alternate operation mode while identifying the cause of the delay.

Impact

USSD.sol:mintForToken() will mint an incorrect amount of USSD tokens.

The rebalance functionality will not work as expected, as the amounts to be swapped in USSDRebalancer.sol:SellUSSDBuyCollateral() and USSDRebalancer.sol:BuyUSSDSellCollateral() will be incorrect.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#LL23C26-L23C26

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWETH.sol#L23

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L48

Tool used

Manual Review

Recommendation

(, int256 price, , uint256 updatedAt, ) = priceFeed.latestRoundData();
if (block.timestamp - updatedAt > validPeriod) {
    // Call an alternative price source or pause the protocol
}