Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

OracleLib.staleCheckLatestRoundData() will fail to revert upon stale price as TIMEOUT greater than btc/usd & eth/usd heartbeats

Dacian

Summary

OracleLib.staleCheckLatestRoundData() will fail to revert upon stale price as TIMEOUT greater than btc/usd & eth/usd heartbeats.

Vulnerability Details

Oraclelib.TIMEOUT is hard-coded to 10800 seconds (3hrs) but BTC/USD & ETH/USD Chainlink price feeds (check the "Show More Details" box) have a heartbeat of 3600 seconds (1hr).

If btc/usd & eth/usd price feeds haven't been updated for >=3601 seconds the price feed must be considered stale and OracleLib.staleCheckLatestRoundData() must revert, but as the hard-coded timeout is 10800 a stale price will be considered fresh for 2 hours longer than should be the case.

Impact

Upstream code will treat stale price as fresh for up to 2 hours after the price has become stale, resulting in potential loss to users and to the protocol.

Tools Used

Manual

Recommendations

At a minimum OracleLib.TIMEOUT should be set to 3600 seconds to match BTC/USD & ETH/USD heartbeats. Ideally each Oracle feed should have its own timeout value but that is another issue.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.