Calls to Oracles don't check for stale prices

Summary

Calls to Oracles don't check for stale prices.

Vulnerability Detail

None of the oracle calls check for stale prices, for example StableOracleDAI.getPriceUSD():

(, int256 price, , , ) = priceFeedDAIETH.latestRoundData();

return
    (wethPriceUSD * 1e18) /
    ((DAIWethPrice + uint256(price) * 1e10) / 2);

Impact

Oracle price feeds can become stale due to a variety of reasons. Using a stale price will result in incorrect calculations in most of the key functionality of USSD & USSDRebalancer contracts.

Code Snippet

StableOracleDAI.getPriceUSD() StableOracleWBGL.getPriceUSD() StableOracleWBTC.getPriceUSD() StableOracleWETH.getPriceUSD()

Tool used

Manual Review

Recommendation

Read the updatedAt parameter from the calls to latestRoundData() and verify that it isn't older than a set amount, eg:

if (updatedAt < block.timestamp - 60 * 60 /* 1 hour */) {
   revert("stale price feed");
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

031.md

031.md

Calls to Oracles don't check for stale prices

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

031.md

Latest commit

History

031.md

File metadata and controls

Calls to Oracles don't check for stale prices

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation