Oracle staleness check present
Fluid's assessment for RD-F-059 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Oracle staleness check ABSENT on Ethereum mainnet. ChainlinkSourceReader calls IChainlinkAggregatorV3.latestRoundData() and extracts only the exchangeRate (second return value), discarding updatedAt entirely. No comparison to block.timestamp or maxAge is performed. ChainlinkOracleImpl confirms the same — no updatedAt validation. RedstoneOracleImpl similarly has no timestamp freshness check. The StateMind audit (December 2023) explicitly noted the absence of staleness checks and recorded Fluid's accepted-risk decision: for mainnet, Fluid decided to accept the stale-data risk similar to Compound and Aave, with plans to implement checks on L2s. However as of the last commit (2026-03-04), no staleness check exists in chainlinkSourceReader.sol or chainlinkOracleImpl.sol. With AVAX/USD at 86400s heartbeat and 2% deviation, and USDT/USD at 86400s heartbeat, a stale price of up to 24 hours could be accepted without detection.
Sources #
- GitHubChainlinkOracleImpl — no staleness check (raw source confirmed)Instadapp/fluid-contracts-public/contracts/oracle/implementations/chainlinkOracleImpl.sol — _readFeedRate no updatedAt checkretrieved 2026-04-29
- StateMind Fluid Audit (December 2023) — Oracle Staleness FindingStateMind Fluid Audit PDF — staleness check finding: accepted risk on mainnet, L2 check plannedretrieved 2026-04-29
- ChainlinkSourceReader — no staleness check (raw source confirmed)Instadapp/fluid-contracts-public/contracts/oracle/sourceReaders/chainlinkSourceReader.sol — latestRoundData() called, updatedAt discardedretrieved 2026-04-29
Methodology #
Determine whether the protocol rejects oracle reads older than a declared maximum age (i.e., checks `updatedAt > block.timestamp - maxStaleness`).
See the full factor methodology and distribution across all protocols →