search
Active Boosts

29445 - [SC - Insight] latestRoundData Call May Result Stale

Submitted on Mar 19th 2024 at 05:06:55 UTC by @caglankaan for Boost | Immunefi Arbitrationarrow-up-right

Report ID: #29445

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/immunefi-team/vaults/blob/main/src/oracles/FeedRegistryL2.sol

Impacts:

  • Stale Data Can Be Used

hashtag
Description

hashtag
Brief/Intro

Data returned from chainlink might be old.

hashtag
Vulnerability Details

The contract calls out to a Chainlink oracle receiving the latestRoundData(). If there is a problem with Chainlink starting a new round and finding consensus on the new value for the oracle (e.g. Chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale or incorrect data (if oracles are unable to submit no new round is started).Take a look at the Chainlink documentationarrow-up-right

hashtag
Impact Details

The latestRoundData() could return stale price data for the underlying asset.

hashtag
References

100arrow-up-right

hashtag
Recommendation

Implement comprehensive checks to validate the freshness of the data returned by Chainlink's latestRoundData() in your smart contracts. This includes verifying the timestamp of the latest round against a permissible time window to ensure the data's relevance and accuracy. Additionally, consider using Chainlink's getRoundData() function with specific round IDs for historical data checks and to verify data continuity. Add the following checks:

hashtag
Proof of Concept

Previous29432 - [SC - Low] Malicious project can grief reward payouts from...Next29467 - [SC - Low] RewardTimelockexecuteRewardTransaction - L Inco...

Last updated

Was this helpful?