Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`OracleLib` is not considering that each ChainLink Data Feed could have a different `Heartbeat` configuration value

stermi

Summary

OracleLib is not considering the option that the ChainLink Data Feed Heartbeat config value could be not equal for all the pairs used by the DSCEngine.

By not doing so, OracleLib is making a wrong assumption and the following scenarios could happen:

The protocol will revert declaring a price stale when in reality the price is not stale
The protocol will accept price as non-stale when in reality the price is stale

Vulnerability Details

The OracleLib will consider a ChainLink response stale if the response is 3 times older compared to the current ChainLink Data Feed Heartbeat.

The Heartbeat config value can be changed by ChainLink, and it's wrong to assume that any tokenX / USD pair will use the same config value for Heartbeat.

Scenario 1) ChainLink Heartbeat is > 10800 seconds. If there is no price change above the deviation threshold the OracleLib will consider the ChainLink response stale even if the response is not stale (for the ChainLink standards)
Scenario 2) ChainLink Heartbeat is 1800 seconds (30 minutes). The current OracleLib.TIMEOUT is 10800 and it seems to have been calculated as 3x the current CL Heartbeat, so the logic is that a price is stale if it has not changed in 3x Heartbeat. With the current value of CL Heartbeat, the price should be considered stale if the answer has not been updated after 1.5 hours. This means that, for the current logic of OracleLib, a price that should be considered stale is instead accepted and used by the protocol.

Impact

Depending on the ChainLink Data Feed value for the Heartbeat configuration, the following scenarios could happen in the protocol:

The protocol will revert declaring a price stale when in reality the price is not stale
The protocol will accept price as non-stale when in reality the price is stale

Tools Used

Manual

Recommendations

The OracleLib TIMEOUT parameter should not be declared constant but should be a variable that can be updated by the DSCEngine owner or by the Governance when needed and based on the specific ChainLink Data Feed Heartbeat value.

Set the TIMEOUT as non-constant
Initialize the value of TIMEOUT value based on the ChainLink Heartbeat current value
Add a setTimeout function callable only by the DSCEngine owner / Governance to update the TIMEOUT when needed

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.