0xPkhatri - Chainlink Oracle priceFeed Data May Return Stale Prices

[sherlock-admin]

0xPkhatri

medium

Chainlink Oracle priceFeed Data May Return Stale Prices

Summary

The StableOracleWBTC, StableOracleWETH, and StableOracleDAI contract does not sufficiently validate the Chainlink oracle data feed for stale prices. If stale prices are used, it could lead to inaccuracies in calculations depending on the price.

Vulnerability Detail

In the StableOracle contract, the getPriceUSD function retrieves the price of Token in USD using Chainlink's latestRoundData function, without validating the freshness of the returned price. It simply takes the price from the returned data, ignoring other returned parameters such as roundId and answeredInRound. According to Chainlink's documentation, comparing answeredInRound against the current roundId can help determine whether the returned answer is fresh or not. also it not check price > 0.

    function getPriceUSD() external view override returns (uint256) {
        //(uint80 roundID, int256 price, uint256 startedAt, uint256 timeStamp, uint80 answeredInRound) = priceFeed.latestRoundData();
        (, int256 price, , , ) = priceFeed.latestRoundData();
        // chainlink price data is 8 decimals for WETH/USD
        return uint256(price) * 1e10;
    }

Impact

The failure to validate the freshness of the price may result in the usage of stale prices, leading to incorrect calculations where price matters.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L48
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWETH.sol#L23
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L23

Tool used

Manual Review

Recommendation

please verify whether the price is fresh or stale.

Duplicate of #31