Elegant Arctic Stork
Medium
The lack of validation for additional parameters returned by the Chainlink latestRoundData function will cause incorrect price usage for users and the protocol as the function may process stale or invalid data.
In DebitaChainlink.sol:30, the function getThePrice only checks the price value from the latestRoundData function without validating other critical parameters such as answeredInRound and updatedAt.
Examples:
- In DebitaChainlink.sol:30, the updatedAt timestamp is not checked, allowing stale price data to be used.
- In DebitaChainlink.sol:81, the answeredInRound value is not verified against roundId, which risks processing invalid or incomplete round data.
- A valid
priceFeedaddress is set for the token. - The
isFeedAvailablestatus for the price feed istrue. - The contract is not paused (
isPaused == false).
The Chainlink price feed provides stale or invalid data (e.g., updatedAt is old, or answeredInRound < roundId).
- A price feed set in the setPriceFeeds function provides stale or invalid data.
- The getThePrice function retrieves this data via latestRoundData().
- The function fails to validate the timestamp or round data and returns an inaccurate price.
The users and the protocol suffer an approximate loss of financial accuracy as the contract may calculate prices based on stale or invalid oracle data, leading to incorrect transactions or mispricing.
na
- Validate the
answeredInRoundandroundIdfields to ensure the data corresponds to a valid round:require(answeredInRound >= roundId, "Invalid round data");
- Validate the
updatedAtfield to ensure the data is not stale:require(block.timestamp - updatedAt <= 1 hours, "Stale price data");