Time Manipulation Vulnerability in Oracle Function
Summary
The "staleCheckLatestRoundData" function is vulnerable to time manipulation, which could be exploited by malicious miners during periods of Chainlink failure or temporary network disruptions. The vulnerability arises from the direct use of the "block.timestamp" to calculate the time elapsed since the last update of the price feed. By holding off blocks, miners can manipulate the "block.timestamp" value and fail the if (secondsSince > TIMEOUT) revert OracleLib__StalePrice(); check to leading to a revert and basically creating a denial of service
Vulnerability Details
By holding off blocks, miners can manipulate the "block.timestamp" value and fail the if (secondsSince > TIMEOUT) revert OracleLib__StalePrice(); check
Impact
Leads to a revert and basically creating a denial of service
Tools Used
MANUAL REVIEW
Recommendations
To mitigate the time manipulation vulnerability and ensure the integrity of the price feed updates, we recommend adopting a more secure approach for calculating the time elapsed since the last update. One possible solution is to use a separate mechanism for tracking the time of the last price update, such as storing the "updatedAt" timestamp in a contract variable and updating it every time the price feed is updated.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.