Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 109/110
Findings: 1
Award: $8.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
8.0071 USDC - $8.01
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L57-L74
The latestRoundData() function is dependent on the oracle price result of two price feeds. The function makes a call for latestRoundData of both price feeds, however only checks for staleness in the result for priceFeed2 and does not do the same for priceFeed1.
Hence, the returned resultant price can make use of old round data from priceFeed1
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L57-L74
Manual review
It is best to use getOracle1_Price() instead of priceFeed1.latestRoundData() in line 63
#0 - HickupHH3
2022-10-15T07:13:44Z
dup of #61
#1 - HickupHH3
2022-10-15T07:21:50Z
While it could perhaps use a tad more description, i feel the warden has identified the core issue regarding the potential usage of stale prices to warrant a "satisfactory" rating