peanuts
medium
There is no check for stale results when calling latestRoundData().
No check for round completeness could lead to stale prices and wrong price return value, or outdated price. The functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss. The function getPriceUSD() call out to an oracle through latestRoundData() to get the price of some token. However, the return price is not checked for staleness.
According to Chainlink's documentation, this function does not error if no answer has been reached but returns 0 or outdated round data. The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, the oracle could fall behind or otherwise fail to be maintained, resulting in outdated data being fed to the index price calculations. Oracle reliance has historically resulted in crippled on-chain systems, and complications that lead to these outcomes can arise from things as simple as network congestion.
Chainlink documentation: https://docs.chain.link/docs/historical-price-data/#historical-rounds
If there is a problem with chainlink starting a new round and finding consensus on the new value for the oracle (e.g. chainlink nodes abandon the oracle, chain congestion, vulnerability/attacks on the chainlink system) consumers of this contract may continue using outdated stale data (if oracles are unable to submit no new round is started).
This could lead to stale prices and wrong price return value, or outdated price.
As a result, the functions rely on accurate price feed might not work as expected, sometimes can lead to fund loss. The impacts vary and depends on the specific situation like the following:
- incorrect liquidation
- some users could be liquidated when they should not
- no liquidation is performed when there should be
- wrong price feed
- causing inappropriate loan being taken, beyond the current collateral factor
- too low price feed affect normal operations
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWBTC.sol#L23 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleWETH.sol https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L48
Manual Review
Recommend checking the returned price.
getPriceUSD() external view override returns (uint256) {
//(uint80 roundID, int256 price, uint256 startedAt, uint256 timeStamp, uint80 answeredInRound) = priceFeed.latestRoundData();
- (, int256 price, , , ) = priceFeed.latestRoundData();
+ (uint80 roundID, int256 price, , uint256 updatedAt ,uint80 answeredInRound ) = priceFeed.latestRoundData();
+ require(answeredInRound >= roundId, "answer is stale");
+ require(updatedAt > 0, "round is incomplete");
+ require(price> 0, "Invalid feed answer");
// chainlink price data is 8 decimals for WETH/USD
return uint256(price) * 1e10;
}
}