Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Same Hard-coded timeout used for multiple price feeds can result in stale prices treated as fresh when price feeds have different heartbeats

Dacian

Summary

The same Hard-coded timeout is used for multiple price feeds. This may result in stale prices being treated as fresh when different price feeds have different hearbeats.

Vulnerability Details

Although btc/usd & eth/usd have the same heartbeat, this project aims to allow others to setup their own collateral tokens. However this won't work correctly as OracleLib.TIMEOUT has one hard-coded timeout for all price feeds.

Impact

When using price feeds with different heartbeats, the hard-coded timeout value will result in stale prices being treated as fresh, leading to potential loss of value to users and to the protocol.

Tools Used

Manual

Recommendations

In DSCEngine.constructor() allow callers to pass in a timeout value for every price feed address & change OracleLib.staleCheckLatestRoundData() to use this price-feed specific timeout value for the staleness check.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.