Chilly Rose Sealion
Medium
The getPrice function in the DebitaChainlink contract fetches price data using Chainlink's latestRoundData() but fails to validate the data's freshness by checking updatedAt or roundId. This oversight risks using stale or outdated prices in the protocol.
In the DebitaChainlink contract, the protocol leverages a Chainlink price feed to retrieve data via the latestRoundData() function. However, the implementation does not verify whether the returned data is fresh or outdated.
function getThePrice(address tokenAddress) public view returns (int) {
address _priceFeed = priceFeeds[tokenAddress];
require(!isPaused, "Contract is paused");
require(_priceFeed != address(0), "Price feed not set");
AggregatorV3Interface priceFeed = AggregatorV3Interface(_priceFeed);
if (address(sequencerUptimeFeed) != address(0)) {
checkSequencer();
}
(, int price, , , ) = priceFeed.latestRoundData();
require(isFeedAvailable[_priceFeed], "Price feed not available");
require(price > 0, "Invalid price");
return price;
}While the code checks if the price is greater than zero, this validation alone is insufficient to ensure the reliability of the price feed.(Chainlink's official documentation)
Without validating the recency of the price data, the system might use outdated or stale values, potentially causing incorrect calculations in the protocol.
VS Code
Modify the code to include additional checks for roundId and updatedAt fields returned by latestRoundData(). Ensure that the retrieved data belongs to the most recent round and that the updatedAt timestamp is within an acceptable threshold to guarantee data freshness.