There is a lack of verification for the update time of the oracle data.

Summary

Vulnerability Details

When obtaining the latest price through Chainlink, there is no check on the validity of the updateAt parameter, which may result in obtaining an invalid price. contracts/oracles/DebitaChainlink.sol

     (, int price, , , ) = priceFeed.latestRoundData();

        require(isFeedAvailable[_priceFeed], "Price feed not available");
        require(price > 0, "Invalid price");
        return price;
    }

Chainlink API:

  function latestRoundData(
    address base,
    address quote
  ) external view returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound);

As you can see the updatedAt timestamp is not checked. So the price may be outdated.

Impact

Could potentially be exploited by malicious actors to gain an unfair advantage as price is not updated.

Code Snippet

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/oracles/DebitaChainlink.sol#L42-L47

Tool Used

Manual Review

Recommendation

Add check like this: if (updatedAt < block.timestamp - LIMIT) revert PriceOutdated();

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

021.md

021.md

There is a lack of verification for the update time of the oracle data.

Summary

Vulnerability Details

Impact

Code Snippet

Tool Used

Recommendation

Files

021.md

Latest commit

History

021.md

File metadata and controls

There is a lack of verification for the update time of the oracle data.

Summary

Vulnerability Details

Impact

Code Snippet

Tool Used

Recommendation