Large Arctic Kookaburra
Medium
Description: The OracleReader::getOraclePrice doesn't properly validate the return data. When data is returned from a priceFeed, comprehensive checks should be used to validate the authenticity of the data. Using stale, inaccurate, or unchecked data can lead to a multitude of problems. These issues can result in financial losses, inaccurate calculations, or even system failures.
The contract directly uses the price feed's return values without validating critical data fields like roundID, answer timestamp, and answeredInRound. This oversight can allow outdated or invalid price data to be processed as if it were current and accurate.
No response
No response
No response
The protocol might unwittingly use data from incomplete and stale rounds and the integrity of the entire system can be compromised if it relies on unvalidated or outdated data. Stale prices might cause system calculations to deviate from market reality
No response
Implement Comprehensive Checks: Whenever data is fetched from an oracle, validate it comprehensively. Use checks like:
- (,int256 answer,,uint256 updatedTimestamp,) = AggregatorV3Interface(feed).latestRoundData();
+ (uint80 roundID, int256 answer, , uint256 updatedTimestamp, uint80 answeredInRound) = oracle.latestRoundData();
+ require(answer > 0, "Invalid price data");
+ require(updatedTimestamp != 0, "Incomplete round");
+ require(answeredInRound >= roundID, "Stale data detected");