[WP-M6] Chainlink's latestRoundData
might return stale results
#99
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/Oracle.sol#L24-L35
Vulnerability details
https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/Oracle.sol#L24-L35
https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/Oracle.sol#L64-L69
https://github.com/code-423n4/2022-02-hubble/blob/ed1d885d5dbc2eae24e43c3ecbf291a0f5a52765/contracts/MarginAccount.sol#L460-L468
On
Oracle.sol
, we are using Chainlink'slatestRoundData
API, but there is no check if the return value indicates stale data. This could lead to stale prices according to the Chainlink documentation:The result of
latestRoundData
API will be used forMarginAccount.sol#liquidateExactRepay()
, therefore, a stale price from Chainlink can lead to loss of funds to end-users.Recommendation
Consider adding missing checks for stale data.
For example:
The text was updated successfully, but these errors were encountered: