Skip to content

Latest commit

 

History

History
35 lines (24 loc) · 1.29 KB

019.md

File metadata and controls

35 lines (24 loc) · 1.29 KB

Agreeable Pearl Cricket

Medium

No check for stale data when fetching from chainlink for the optimism chain

Summary

When fetching price from chainlink, protocol does not check whether the data fetched is stale.

Root Cause

Source

            (, int256 price_, , , ) = oracle.latestRoundData();
            if (underlying == assetAddress[IBorrowing.AssetName.ETH]) {
                return (1 ether, uint128((uint256(price_) / 1e6)));
            } else {
                (, uint128 ethPrice) = _price(assetAddress[IBorrowing.AssetName.ETH]);
                return (uint128(uint256(price_)), ethPrice);

Impact

There are different reasons why an oracle price feed can become stale. Using a stale price will result in incorrect calculations in most of the key functionality of the protocol.

Mitigation

Read the updatedAt parameter from the calls to latestRoundData() and verify that it corresponds to the heartbeat of the pricefeed.

if (updatedAt < block.timestamp - 60 * 60 /* 1 hour */) {
   revert("stale price feed");
}