Summary

Chainlink updates the price feeds data when any of these conditions are met:

1. Either when the price moves more than the Deviation threshold.

2. Or when heartbeat time reaches.

In our case, we have set the Heartbeat rate as constant to 10800s (3 hours) whereas many price feeds have different heartbeat rates. The most common rate is 86400s (24 hours) which is far beyond our hard-coded limit.

Impact

This will pause the functionalities of our protocol (mint, burn, redeem, liquidate) because in all these functions we are using the price feeds.

Vulnerability Details

In the staleCheckLatestRoundData function we are validating the condition that the difference between the current time and the updated price feeds data time should be greater than the heartbeat(hardcoded) rate.

This will be true for many price feeds because their heartbeat rate is greater than this hardcoded value and users using the above-mentioned functions will see the revert error revert OracleLib__StalePrice() but in actual price will not be stale.

This will pause these functionalities for them until the price is not updated through deviation or when again the new price will be within the range of 3 hours (and again this will happen after 3 hours of price update).

Tools Used

Manual Review

Recommendations

We should not hardcode the heartbeat rate instead. We can get the heartbeat rate from aggregator (I searched but didn't find any function in the price feed for it) or can set the mappings and when registering price feeds in the contract we can set their heartbeats as well.