ak1 - DepositReceipt_Base.sol#L21 : HEARTBEAT_TIME gap is too huge

[github-actions]

ak1

medium

DepositReceipt_Base.sol#L21 : HEARTBEAT_TIME gap is too huge

Summary

HEARTBEAT_TIME = 24 hours could not be safe. The oracle data still be stale one.

Vulnerability Detail

oracle is using the HEARTBEAT_TIME as 24 hours. Since the price of oracle could vary in the time gap of 3 hours, using 24 hours could be still dangerous.

Impact

Stale data used. Front runnable issue.

Code Snippet

https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Velo-Deposit-Tokens/contracts/DepositReceipt_Base.sol#L21

Tool used

Manual Review

Recommendation

Use 3 hours as hearbeat.

[kree-dotcom]

3 hours as recommended by the auditor does not seem sufficient. Some Optimism price feeds such as ETH/USD and OP/USD have Heartbeats of 1200s or 20min. Currently we cannot find a method to fetch this via the oracle address and it looks like the Heartbeat sensitivity would have to be set per deployment of the depositReceipt.

[kree-dotcom]

Fixed, kree-dotcom/Velo-Deposit-Tokens@398f40c

HEARTBEAT_TIME is now an immutable var that is set by the deployer for each instance of a depositReceipt.

[IAm0x52]

Fixes look good. HEARTBEAT_TIME changed to an immutable