Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 110/110
Findings: 1
Award: $8.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
8.0071 USDC - $8.01
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L273 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L297 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L63 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L96
On Controller.sol and in PegOracle.sol we are using latestRoundData, but there is no check if the return value indicates stale data.
This could lead to stale prices according to the Chainlink documentation:
https://docs.chain.link/docs/historical-price-data/#historical-rounds https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L273 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Controller.sol#L297
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L63 https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L96
Visual Inspection
Consider adding missing checks for stale data.
For example:
(uint80 roundID, int256 feedPrice, , uint256 timestamp, uint80 answeredInRound) = feed.latestRoundData(); require(feedPrice > 0, "Chainlink price <= 0"); require(answeredInRound >= roundID, "Stale price"); require(timestamp != 0, "Round not complete");
#0 - HickupHH3
2022-10-15T07:24:56Z
dup of #61