Lack of return data validation

Book an audit with Zokyo

Impact: Using stale, inaccurate, or unchecked data can lead to a multitude of problems. For DeFi protocols, these issues can result in financial losses, inaccurate calculations, or even system failures. The integrity of the entire system can be compromised if it relies on unvalidated or outdated data.

Proof of Concept:

  1. Stale Data from Latest Answer: Some protocols leverage functions like latestAnswer to fetch the latest price. While this might sound apt, it doesn't guarantee the freshness of data. For example:

int256 latestPrice = oracle.latestAnswer();

Without further validation, this data could be outdated, leading to miscalculations.

  1. Incomplete Round Checks: Fetching data without validating its round or timestamp could result in the protocol using data from incomplete or stale rounds. For instance:

(, int256 feedPrice, , uint256 timestamp, ) = feed.latestRoundData();

If crucial checks like timestamp != 0 or checks on answeredInRound are missed, the protocol might unwittingly use unreliable data.

  1. Misunderstanding Oracle's Return Data: Merely fetching the latestRoundData does not necessarily represent the current asset price. There's a need to actively query the oracle and wait for a callback, ensuring the most updated and accurate data is received.

  2. Ignoring Timestamps: Ignoring the updatedAt timestamps from oracle data can have dire consequences. Stale data might continue to be used, especially if there's a disruption in the oracle's update mechanism.

Recommended Mitigation Steps:

  1. Implement Comprehensive Checks: Whenever data is fetched from an oracle, validate it comprehensively. Use checks like:

(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData();
require(price > 0, "Invalid price data");
require(timeStamp != 0, "Incomplete round");
require(answeredInRound >= roundID, "Stale data detected");

  1. Stay Updated with Oracle Documentation: Continuously monitor and review oracle documentation to understand any changes or recommended best practices. This helps in adapting to the oracle's evolving standards.

  2. Active Oracle Querying: Instead of solely relying on fetching the latest available data, actively query the oracle for the most recent data and wait for a callback, ensuring data accuracy.

  3. Ensure Data Freshness: Always verify that the data received from the oracle is recent.

  4. Leverage Multiple Oracle Sources: To prevent dependence on a single data point, use multiple oracles or aggregated data sources. This not only ensures data reliability but also helps in filtering out outliers.

PreviousUsing Deprecated FunctionsNextInconsistent or Absent Price Data Fetching/Updating Intervals

Last updated