Vulnerabilities

Stale Oracle Price

A stale oracle price is an old oracle value that is still returned but no longer reflects current market or protocol conditions.

A stale oracle price is a price that is technically available but too old to trust.

Stale Oracle Price Explained in Detail

An oracle can keep returning a value after it stops updating. That value may be validly encoded but unsafe for current decisions.

For Chainlink-style feeds, updatedAt is the key timestamp auditors check.

Smart contract example

require(block.timestamp - updatedAt <= maxStaleness, "stale");

The max staleness should match the asset and protocol risk.

Stale Oracle Price in Auditing

Stale prices can trigger bad liquidations, undercollateralized borrowing, incorrect minting, or blocked withdrawals. The code may look safe because it read an oracle, but the value can be outdated.

Auditors test oracle failure and delayed-update paths.

Red flags in code

  • No updatedAt or freshness check.

  • updatedAt == 0 is accepted.

  • Fallback price can remain active indefinitely.

  • L2 sequencer downtime is ignored.

  • Sensitive actions continue when the feed reverts or stops updating.

How to test or review it

  • Mock old timestamps and expect sensitive actions to revert or pause.

  • Test zero timestamp, reverted feed, and unchanged price during volatile conditions.

  • Check fallback activation and expiry.

  • Verify governance can update stale feed configs safely.

  • Review liquidation and borrowing behavior under stale data.

Sources