staleCheckLatestRoundData does not work properly if the update intervals(heartbeats) of the oracles are different
Summary
staleCheckLatestRoundData does not work properly if the update intervals(heartbeats) of the oracles are different
Vulnerability Details
The contract allows configuring only one price freshness duration (the TIMEOUT variable). However, different Chainlink price feeds have different heartbeat periods: for example, the ETH/USD feed is updated every 3600 seconds, but the LINK/ETH feed is updated every 21600 seconds. If, for example, the TIMEOUT variable is set to 3600 seconds, then querying a LINK/ETH price will constantly fail after 3600 seconds have passed since the LINK/ETH feed has been updated and until it's updated again (in this case, the DoS will continue for 18000 seconds (5 hours) after every 3600 seconds (1 hour)).
Impact
The TIMEOUT variable is not effective to check the timeliness of prices. It can allow stale prices in one price feed or always revert to another price feed.
Tools Used
Manual review
Recommendations
Add different timeout variables depending on the number of assets being used in the project.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.