Data feeds with heartbeat more than 3 hours can freeze DSCEngine
Summary
In staleCheckLatestRoundData it is decided that the max TIMEOUT is 3 hours but there are a lot of data feeds that if the deviation threshold is not hit then the heartbeat is more than 3 hours.
Vulnerability Details
In the current implementation, we have:
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/libraries/OracleLib.sol#L29-L30
However, there are tokens with USD price feed's that the heartbeat is more than 3 hours and the deviation threshold more than 0.5% that makes freezing the DSCEngine highly likely.
Impact
There is a high probability to freeze DSCEngine quite fast and make it unusable without serving its purpose.
Tool used
Manual Review
Recommendation
There are a couple of recommendations.
One recommendation can be to allow only the tokens that can meet the requirements you have already set.
An other recommendation can be to loose a bit the TIMEOUT constraint to 24 hours to support a lot more USD pairs but also adding a try/catch in staleCheckLatestRoundData and otherwise use another fallback oracle solution.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.