Assessment reports>Takara Lend Contracts>High findings>Lack of freshness check in Api3Aggregator and LinkedAssetAggregator
Category: Coding Mistakes

Lack of freshness check in Api3Aggregator and LinkedAssetAggregator

High Severity
High Impact
High Likelihood

Description

The functions Api3Aggregator.latestRoundData() and LinkedAssetAggregator.latestRoundData() currently lack checks to verify the freshness of the retrieved price data. While Api3LinkedAggregator has a freshness check for the exchange-rate feed, it does not do the same verification for the timestamps returned by originPriceFeed.latestRoundData():

function latestRoundData()
    public
    view
    override
    returns (/* [...] */)
{
    (int224 value, uint32 exchangeRateTimestamp) = exchangeRateFeed.read();
    uint256 duration = uint256(exchangeRateTimestamp) - block.timestamp;

    require(duration > freshCheck, "Not valid price");

    (uint80 tokenRoundId, int256 ethPrice,,, uint80 tokenAnsweredInRound) = originPriceFeed.latestRoundData();

    // [...]
}

This means that the affected aggregators could return outdated price information if the original price feed has a problem, which may mislead the protocol into relying on it as if it was an accurate and up-to-date price.

Impact

The absence of freshness checks could lead to the use of outdated price data. It can potentially cause loss of funds in the protocol.

Recommendations

Add checks to verify the freshness of the price data retrieved from the original price feed in Api3Aggregator and LinkedAssetAggregator.

Remediation

This issue has been acknowledged by Takara Lend, and a fix was implemented in commit 3d738974.

Zellic © 2025Back to top ↑