15,000 USDC
View results
Submission Details
Severity: medium
Valid

Hardcoded Heart beat period can cause an incorrect staleness check and Major DoS

Summary

The use of a constant heartbeat threshold may result in an inaccurate staleness check, ultimately leading to the computation of the price or Unnecessary DoS.

Vulnerability Details

Heartbeat period or TIMEOUT is set fixed to 3 hours.

File: OracleLib.sol
19: uint256 private constant TIMEOUT = 3 hours;
30: if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();

Link to code

But As mentioned by Chainlink documentation:

Users should build applications with the understanding that data feeds for wrapped or liquid staking assets might have different heartbeat and deviation thresholds than that of the underlying asset.

Currently, ETH / USD price feed has heartbeat period of 1 hour while USDT / USD price feed has heartbeat period of 24 hours.

Impact

Currently there are 2 scopes of impact of this issue:

  1. In case the original Heartbeat period < 3 hours (E.g: ETH / USD): In case of aggregators of chainlink getting compromised, the protocol will continue to accept stale prices.

  2. In case the original Heartbeat period > 3 hours (E.g: USDT / USD): This case will lead to massive DoS for the entire protocol. Given the price update will happen only once in a day, So for 21 hours of the remaining day, the condition on line 30 will always revert.

Because for DoS of more than 87% of the active time, reporting it as High.

Tools Used

Manual Review

Recommendations

Have an mapping of TIMEOUT value corresponding to each price feed with an owner accessed option to update it.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.