Hardcoded Heart beat period can cause an incorrect staleness check and Major DoS
Summary
The use of a constant heartbeat threshold may result in an inaccurate staleness check, ultimately leading to the computation of the price or Unnecessary DoS.
Vulnerability Details
Heartbeat period or TIMEOUT is set fixed to 3 hours.
But As mentioned by Chainlink documentation:
Users should build applications with the understanding that data feeds for wrapped or liquid staking assets might have different heartbeat and deviation thresholds than that of the underlying asset.
Currently, ETH / USD price feed has heartbeat period of 1 hour while USDT / USD price feed has heartbeat period of 24 hours.
Impact
Currently there are 2 scopes of impact of this issue:
In case the original Heartbeat period < 3 hours (E.g: ETH / USD): In case of aggregators of chainlink getting compromised, the protocol will continue to accept stale prices.
In case the original Heartbeat period > 3 hours (E.g: USDT / USD): This case will lead to massive DoS for the entire protocol. Given the price update will happen only once in a day, So for 21 hours of the remaining day, the condition on line 30 will always revert.
Because for DoS of more than 87% of the active time, reporting it as High.
Tools Used
Manual Review
Recommendations
Have an mapping of TIMEOUT value corresponding to each price feed with an owner accessed option to update it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.