This repository has been archived by the owner on Jun 30, 2024. It is now read-only.
Coinstein - Chainlink heartbeat time gap is too huge #87
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Comments
sherlock-admin
changed the title
github-actions
bot
added
the
Excluded
|
Invalid, out of scope, admins are trusted to input appropriate heartbeats |
sherlock-admin2
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Coinstein
medium
Chainlink heartbeat time gap is too huge
Summary
Unrestricted update threshold allows stale oracle pricing data.
Vulnerability Detail
The ChainlinkPriceFeeds contract does not limit the update threshold for the pricing oracle data. This threshold is configured on deployment via the out-of-scope PRICEv2Install script, which currently sets it to 24 hours
Note: This is similar with one of the rewarded past issue: sherlock-audit/2022-11-isomorph-judging#256
Impact
There is a risk of stale pricing and front running issue
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/PRICE/submodules/feeds/ChainlinkPriceFeeds.sol
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/scripts/ops/batches/PRICEv2Install.sol#L244-L247
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/scripts/ops/batches/PRICEv2Install.sol#L273-L278
Tool used
Manual Review
Recommendation
Modify the in-scope contract ChainlinkPriceFeeds to restrict the update threshold to a maximum of 3 hours in the getOneFeedPrice and getTwoFeedPriceMul functions.
The text was updated successfully, but these errors were encountered: