The "staleCheckLatestRoundData" function is vulnerable to time manipulation, which could be exploited by malicious miners during periods of Chainlink failure or temporary network disruptions. The vulnerability arises from the direct use of the "block.timestamp" to calculate the time elapsed since the last update of the price feed. By holding off blocks, miners can manipulate the "block.timestamp" value and fail the if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
check to leading to a revert and basically creating a denial of service
By holding off blocks, miners can manipulate the "block.timestamp" value and fail the if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
check
Leads to a revert and basically creating a denial of service
MANUAL REVIEW
To mitigate the time manipulation vulnerability and ensure the integrity of the price feed updates, we recommend adopting a more secure approach for calculating the time elapsed since the last update. One possible solution is to use a separate mechanism for tracking the time of the last price update, such as storing the "updatedAt" timestamp in a contract variable and updating it every time the price feed is updated.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.