0x8chars - No check for stale price from chainlink

[sherlock-admin]

0x8chars

medium

No check for stale price from chainlink

Summary

PriceOracle.getPriceFromChainlink() does not check if the price received from Chainlink is a stale price.

Vulnerability Detail

If the price received from Chainlink is a stale price, it does not reflect the true price of the underlying / borrow assets. This will affect the calculation of _getAccountLiquidity() and _isLiquidatable().

Impact

In the worst-case scenario, a malicious user might be able to take advantage of the stale price to borrow more than is allowed or redeem assets at a higher price than the real market price.

Code Snippet

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L66-L72

Tool used

Manual Review

Recommendation

function getPriceFromChainlink(address base, address quote) internal view returns (uint256) {
    (uint80 latestRoundId, int256 price,,uint256 updatedAt, uint80 answeredInRound) = registry.latestRoundData(base, quote); // returns roundId, answer, startedAt, updatedAt, answeredInRound
    require(price > 0, "invalid price");
		require(answeredInRound >= latestRoundId,"Price Stale" );

    // Extend the decimals to 1e18.
    return uint256(price) * 10 ** (18 - uint256(registry.decimals(base, quote))); // this normalizes chainlink price to 18 decimals. for all pairs, 8 decimals. for eth, 18 decimals. So for example, if quote is token/usd, that's 8 decimals. So you do price * 10**(18 - 8) or price * 10**10 so you get chainlink's price in 18 decimals.
}

Duplicate of #9