# 29347 - \[SC - Insight] Chainlinks latestRoundData might return stale o... Submitted on Mar 14th 2024 at 16:48:24 UTC by @OxRizwan for [Boost | Immunefi Arbitration](https://immunefi.com/bounty/immunefiarbitration-boost/) Report ID: #29347 Report type: Smart Contract Report severity: Insight Target: Impacts: * Contract fails to deliver promised returns, but doesn't lose value ## Description ## Brief/Intro Chainlink's latestRoundData might return stale or incorrect results leading to incorrect prices ## Vulnerability Details `PriceConsumer.getChainlinkPrice18Decimals()` fetches the asset price from a Chainlink aggregator using the `latestRoundData` function. However, there are no checks on roundID, resulting in stale prices. The oracle wrapper calls out to a chainlink oracle receiving the latestRoundData(). ```solidity function getChainlinkPrice18Decimals( address base, address quote ) public view returns (PriceResponse memory response) { @> try registry.latestRoundData(base, quote) returns ( uint80 roundId, int256 answer, uint256 /* startedAt */, uint256 updatedAt, uint80 /* answeredInRound */ ) { response.success = true; response.roundId = roundId; response.answer = _convertTo18Decimals(answer, registry.decimals(base, quote)); response.updatedAt = updatedAt; } catch {} } ``` Stale prices could put funds at risk. According to Chainlink's documentation, This function does not error if no answer has been reached but returns 0, causing an incorrect price fed to the PriceOracle. The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, the oracle could fall behind or otherwise fail to be maintained, resulting in outdated data being fed to the index price calculations. Oracle reliance has historically resulted in crippled on-chain systems, and complications that lead to these outcomes can arise from things as simple as network congestion. ## Impact Details The Oracle can return stale data which does not reflect the most recent price of the asset, which could leas to incorrect calculations, and users or the protocol could end up losing money because of the discrepancy between the returned price and the real current value of the asset. ## References ## Recommendation to fix Consider adding missing checks for stale data. For example: ```solidity (uint80 roundID, int256 feedPrice, , uint256 timestamp, uint80 answeredInRound) = feed.latestRoundData(); require(feedPrice > 0, "Chainlink price <= 0"); require(answeredInRound >= roundID, "Stale price"); require(timestamp != 0, "Round not complete"); ``` ## Proof of Concept --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/immunefi-arbitration/29347-sc-insight-chainlinks-latestrounddata-might-return-stale-o....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.