The TIMEOUT setting of the Chainlink oracle is too large
Summary
Outdated Oracle Data Check Function Vulnerability
Vulnerability Details
In the library OracleLib of the smart contract , there is a potential vulnerability. The library is used to interact with an oracle and check if the data returned by the oracle is outdated. However, the vulnerability lies in the setting of the outdated time (HEARTBEAT_TIME) to 3 hours (10800 seconds), while the actual update time of the oracle is 1 hour (3600 seconds). According to Chainlink's documentation, the price update interval for both WETH and WBTC used in this contract is 1 hour.This means that even after the oracle updates its data, the smart contract may still consider the data as outdated, potentially leading to computations based on stale data.
Impact
Due to misjudging the timeliness of the oracle data, it is possible that outdated price data may be used for sensitive calculations or transactions, resulting in incorrect outcomes and potential financial losses. Attackers can exploit this vulnerability for malicious manipulation or improper behavior, further endangering the normal operation of the smart contract and the security of contract users' assets.
Tools Used
Manual review
Recommendations
It is recommended that the smart contract developer addresses the outdated oracle data check functionality in the OracleLib library to ensure the real-time and accuracy of the oracle data. The TIMEOUT should be set to the actual update interval of the oracle (i.e., 1 hour or 3600 seconds) to avoid using stale data.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.