Outdated Oracle Data Check Function Vulnerability
In the library OracleLib of the smart contract , there is a potential vulnerability. The library is used to interact with an oracle and check if the data returned by the oracle is outdated. However, the vulnerability lies in the setting of the outdated time (HEARTBEAT_TIME) to 3 hours (10800 seconds), while the actual update time of the oracle is 1 hour (3600 seconds). According to Chainlink's documentation, the price update interval for both WETH and WBTC used in this contract is 1 hour.This means that even after the oracle updates its data, the smart contract may still consider the data as outdated, potentially leading to computations based on stale data.
Due to misjudging the timeliness of the oracle data, it is possible that outdated price data may be used for sensitive calculations or transactions, resulting in incorrect outcomes and potential financial losses. Attackers can exploit this vulnerability for malicious manipulation or improper behavior, further endangering the normal operation of the smart contract and the security of contract users' assets.
Manual review
It is recommended that the smart contract developer addresses the outdated oracle data check functionality in the OracleLib library to ensure the real-time and accuracy of the oracle data. The TIMEOUT
should be set to the actual update interval of the oracle (i.e., 1 hour or 3600 seconds) to avoid using stale data.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.