15,000 USDC
View results
Submission Details
Severity: medium
Valid

Data feeds with heartbeat more than 3 hours can freeze DSCEngine

Summary

In staleCheckLatestRoundData it is decided that the max TIMEOUT is 3 hours but there are a lot of data feeds that if the deviation threshold is not hit then the heartbeat is more than 3 hours.

Vulnerability Details

In the current implementation, we have:

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/libraries/OracleLib.sol#L29-L30

uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();

However, there are tokens with USD price feed's that the heartbeat is more than 3 hours and the deviation threshold more than 0.5% that makes freezing the DSCEngine highly likely.

Impact

There is a high probability to freeze DSCEngine quite fast and make it unusable without serving its purpose.

Tool used

Manual Review

Recommendation

There are a couple of recommendations.

One recommendation can be to allow only the tokens that can meet the requirements you have already set.

An other recommendation can be to loose a bit the TIMEOUT constraint to 24 hours to support a lot more USD pairs but also adding a try/catch in staleCheckLatestRoundData and otherwise use another fallback oracle solution.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.