Description

The latestAnswer function in Oracle.sol retrieves price data from the Pyth network's contract using the getPriceUnsafe function. It is implemented as follows:

function latestAnswer() public view override returns (int256) {
    PythStructs.Price memory price = pyth.getPriceUnsafe(pythID);
    return int256(price.price);
}

Upon reviewing the use of the latestAnswer function, we found that, although it is not within the audit scope, it is utilized in the getAssetPrice function of the AaveOracle.sol contract.

This can be seen in the following GitHub link for AaveOracle.sol↗.

The getAssetPrice function in the contract does not verify whether the price data returned by the oracle is stale. This oversight can lead to the use of outdated or incorrect price information, which may affect the contract's behavior and reliability.

function getAssetPrice(address asset) public view override returns (uint256) {
    AggregatorInterface source = assetsSources[asset];

    if (asset == BASE_CURRENCY) {
        return BASE_CURRENCY_UNIT;
    } else if (address(source) == address(0)) {
        return _fallbackOracle.getAssetPrice(asset);
    } else {
        int256 price = source.latestAnswer();
        if (price > 0) {
            return uint256(price);
        } else {
            return _fallbackOracle.getAssetPrice(asset);
        }
    }
}

Impact

Using stale price data can lead to incorrect financial calculations and decisions based on outdated information. This can have significant consequences, especially in financial applications where timely and accurate data is crucial.

In the past, instances of economic losses due to this issue have been reported, such as in this case with the Venus Protocol↗.

Recommendations

Add code to check if the price data is within the last n minutes.

Remediation

This issue was fixed by Yei Finance Team in commit b7bc3ac846↗.