Zealous Black Grasshopper - Inadequate Check for Stale Price in currentValue Function

[sherlock-admin2]

Zealous Black Grasshopper

High

Inadequate Check for Stale Price in currentValue Function

Summary

The currentValue function uses an incorrect logic to verify if the price fetched from the pythOracle is stale. The current implementation checks:

require(
    price.publishTime < block.timestamp - noOlderThan,
    "Stale Price"
);

This condition only validates if the price.publishTime is earlier than a certain time but does not ensure that the timestamp is within the acceptable range. The correct approach should be:

require(
    block.timestamp - price.publishTime <= noOlderThan,
    "Stale Price"
);

This ensures the price is recent enough to be considered valid.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Using an incorrect stale price validation may allow outdated prices to pass through, leading to incorrect calculations, trades, or fund mismanagement. This oversight can adversely affect the protocol's reliability, especially in volatile markets where precise and current prices are critical.

PoC

No response

Mitigation

Update the stale price check logic to:

require(
    block.timestamp - price.publishTime <= noOlderThan,
    "Stale Price"
);