Summary

staleCheckLatestRoundData does not work properly if the update intervals(heartbeats) of the oracles are different

Vulnerability Details

The contract allows configuring only one price freshness duration (the TIMEOUT variable). However, different Chainlink price feeds have different heartbeat periods: for example, the ETH/USD feed is updated every 3600 seconds, but the LINK/ETH feed is updated every 21600 seconds. If, for example, the TIMEOUT variable is set to 3600 seconds, then querying a LINK/ETH price will constantly fail after 3600 seconds have passed since the LINK/ETH feed has been updated and until it's updated again (in this case, the DoS will continue for 18000 seconds (5 hours) after every 3600 seconds (1 hour)).

Impact

The TIMEOUT variable is not effective to check the timeliness of prices. It can allow stale prices in one price feed or always revert to another price feed.

Tools Used

Manual review

Recommendations

Add different timeout variables depending on the number of assets being used in the project.