15,000 USDC
View results
Submission Details
Severity: medium
Valid

The TIMEOUT setting of the Chainlink oracle is too large

Summary

Outdated Oracle Data Check Function Vulnerability

Vulnerability Details

In the library OracleLib of the smart contract , there is a potential vulnerability. The library is used to interact with an oracle and check if the data returned by the oracle is outdated. However, the vulnerability lies in the setting of the outdated time (HEARTBEAT_TIME) to 3 hours (10800 seconds), while the actual update time of the oracle is 1 hour (3600 seconds). According to Chainlink's documentation, the price update interval for both WETH and WBTC used in this contract is 1 hour.This means that even after the oracle updates its data, the smart contract may still consider the data as outdated, potentially leading to computations based on stale data.

Impact

Due to misjudging the timeliness of the oracle data, it is possible that outdated price data may be used for sensitive calculations or transactions, resulting in incorrect outcomes and potential financial losses. Attackers can exploit this vulnerability for malicious manipulation or improper behavior, further endangering the normal operation of the smart contract and the security of contract users' assets.

Tools Used

Manual review

Recommendations

It is recommended that the smart contract developer addresses the outdated oracle data check functionality in the OracleLib library to ensure the real-time and accuracy of the oracle data. The TIMEOUT should be set to the actual update interval of the oracle (i.e., 1 hour or 3600 seconds) to avoid using stale data.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.