15,000 USDC
View results
Submission Details
Severity: medium
Valid

Hardcoded TIMEOUT in OracleLib may lead to DoS of liquidations

Summary

The OracleLib smart contract contains a hardcoded TIMEOUT constant, which may not be flexible enough to accommodate the timeliness of all potential price feeds. This may lead to the DoS of the system in case the price feed fails to update faster than 3 hours.

Vulnerability Details

In OracleLib.sol:19, the hardcoded TIMEOUT constant was set to 3 hours, which will apply to every instance in which OracleLib checks the Chainlink Oracle for stale data.

Depending on different network conditions or tokens, this timeout value may not be optimally suited for all price feeds.

For example, the DOT/USD price feed contains a heartbeat of 24h, meaning that it may not update as frequently as the hardcoded value expects.

As a result, the staleCheckLatestRoundData may revert even if the price feeds are functioning correctly, which can prevent liquidations or redemption of collateral, that both depend on OracleLib.

Impact

Denial of Service depending on the heartbeat of the price feeds used. Users may not be liquidated when they should, or may not be able to withdraw their collateral.

Tools Used

Manual Review

Recommendations

We recommend making the TIMEOUT configuration adaptable to the specific price feeds used in the DSC token. This can be a value passed into the constructor together with the tokenAddresses and priceFeedAddresses.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.