[2023-03-y2k] Missing check of oracle's return value

# [2023-03-y2k] Missing check of oracle's return value ###### tags: `sherlock`, `2023-03-y2k`, `medium` ## Summary Missing check the parameter `updatedAt` return from chainlink oracle ## Vulnerability Detail The `lastRoundData()`'s parameters according to [Chainlink](https://docs.chain.link/docs/data-feeds/price-feeds/api-reference/) are the following: ```solidity= function latestRoundData() external view returns ( uint80 roundId, // The round ID. int256 answer, // The price. uint256 startedAt, // Timestamp of when the round started. uint256 updatedAt, // Timestamp of when the round was updated. uint80 answeredInRound // The round ID of the round in which the answer was computed. ) ``` Function `ControllerPeggedAssetV2.getLatestPrice()` has 2 checks with 3 parameters `price`, `answerInRound`, `roundId` but forget to check the `updatedAt` return value which lead to the stale data from chainlink. ```solidity= function getLatestPrice(address _token) public view returns (int256) { /// ... (uint80 roundID, int256 price, , , uint80 answeredInRound) = priceFeed .latestRoundData(); uint256 decimals = priceFeed.decimals(); if (decimals < 18) { decimals = 10**(18 - (decimals)); price = price * int256(decimals); } else if (decimals == 18) { price = price; } else { decimals = 10**((decimals - 18)); price = price / int256(decimals); } if (price <= 0) revert OraclePriceZero(); if (answeredInRound < roundID) revert RoundIDOutdated(); return price; } ``` We can see the consequence about the missing check `updatedAt` in the Chainlink documentation: * [under historical price data: "A timestamp with zero value means the round is not complete and should not be used."](https://docs.chain.link/data-feeds/historical-data) ## Impact Stale return price value lead to incorrect de-peg events trigger. ## Code Snippet https://github.com/sherlock-audit/2022-12-lyra-WelToHackerLand/blob/a94da006a91aee064e4d8ccde45ae7e16275656b/contracts/GMXAdapter.sol#L192 ## Tool used Manual Review ## Recommendation Modify the function to have a check like this: ```solidity= (uint80 roundID, int256 feedPrice, , uint256 timestamp, uint80 answeredInRound) = feed.latestRoundData(); require(feedPrice > 0, "Chainlink price <= 0"); require(answeredInRound >= roundID, "Stale price"); require(timestamp != 0, "Round not complete"); ```