Lack of freshness check in Api3Aggregator and LinkedAssetAggregator
Description
The functions Api3Aggregator.latestRoundData()
and LinkedAssetAggregator.latestRoundData()
currently lack checks to verify the freshness of the retrieved price data. While Api3LinkedAggregator has a freshness check for the exchange-rate feed, it does not do the same verification for the timestamps returned by originPriceFeed.latestRoundData()
:
function latestRoundData()
public
view
override
returns (/* [...] */)
{
(int224 value, uint32 exchangeRateTimestamp) = exchangeRateFeed.read();
uint256 duration = uint256(exchangeRateTimestamp) - block.timestamp;
require(duration > freshCheck, "Not valid price");
(uint80 tokenRoundId, int256 ethPrice,,, uint80 tokenAnsweredInRound) = originPriceFeed.latestRoundData();
// [...]
}
This means that the affected aggregators could return outdated price information if the original price feed has a problem, which may mislead the protocol into relying on it as if it was an accurate and up-to-date price.
Impact
The absence of freshness checks could lead to the use of outdated price data. It can potentially cause loss of funds in the protocol.
Recommendations
Add checks to verify the freshness of the price data retrieved from the original price feed in Api3Aggregator and LinkedAssetAggregator.
Remediation
This issue has been acknowledged by Takara Lend, and a fix was implemented in commit 3d738974↗.