Summary

The current TIMEOUT value in libraries/OracleLib.sol would often lead to a temporary freeze of all users' funds after the 3 hours of no price deviation above the threshold.

Vulnerability Details

There are currently 2 "trigger" parameters that kick off Chainlink nodes to update.
A deviation parameter: The Chainlink nodes are monitoring the prices of the assets off-chain. If the real-world price of an asset deviates past some interval, it will trigger all the nodes to do an update. Right now, most Ethereum data feeds have a 0.5% deviation threshold.

A time interval: If the price stays within the deviation parameters, it will only trigger an update every X minutes / hours. It is also known as a heartbeat.
Source: Chainlink

Many Chainlink token price have a heartbeat threshold period longer than 3 hours, this includes BNB/USD - 4 hours, DOT/USD 24 hours, DOGE/USD 24 hours.

However, the OracleLib.sol has a TIMEOUT constant set to 3 hour period which is used to identify if the price data is stale or not.

Impact

Lets assume the contracts will use ChainLink price feed with a heartbeat threshold period set to 24 hours and price deviation threshold of 1%. If there is no price deviation more than 1% during that period, DSCEngine would stay frozen for 21 out 24 hours in the day.

Tools Used

Manual review

Recommendations

Provide a mechanism for a TIMEOUT to be adjusted to each token's price feed separately (can be set in the constructor). Consider creating a mapping priceFeed => timeout if there is more than one token price feed.