The OracleLib
smart contract contains a hardcoded TIMEOUT
constant, which may not be flexible enough to accommodate the timeliness of all potential price feeds. This may lead to the DoS of the system in case the price feed fails to update faster than 3 hours.
In OracleLib.sol:19
, the hardcoded TIMEOUT
constant was set to 3 hours, which will apply to every instance in which OracleLib
checks the Chainlink Oracle for stale data.
Depending on different network conditions or tokens, this timeout value may not be optimally suited for all price feeds.
For example, the DOT/USD price feed contains a heartbeat of 24h, meaning that it may not update as frequently as the hardcoded value expects.
As a result, the staleCheckLatestRoundData
may revert even if the price feeds are functioning correctly, which can prevent liquidations or redemption of collateral, that both depend on OracleLib
.
Denial of Service depending on the heartbeat of the price feeds used. Users may not be liquidated when they should, or may not be able to withdraw their collateral.
Manual Review
We recommend making the TIMEOUT configuration adaptable to the specific price feeds used in the DSC token. This can be a value passed into the constructor together with the tokenAddresses
and priceFeedAddresses
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.