Foundry DeFi Stablecoin CodeHawks Audit Contest
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

[M] Oracle validation will return different on different chains

golanger85

Summary

Although there is a check for stale Oracle status on price feeds, this will not be reliable across other chains.

Vulnerability Details

The value of TIMEOUT is set to 3 hours or 10800 seconds. This constant value is used to define the maximum allowable time difference between the current block's timestamp and the timestamp of the latest round data from the Chainlink oracle.

Impact

When calling getTokenAmountFromUsd, getAccountCollateralValue and getUsdValue,
the contract will call staleCheckLatestRoundData to check if the latest round data is stale.
If the latest round data is stale, the contract will revert.

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

However, since the contract is to be deployed across multiple chains, the block timestamp will be different on each chain. This means that the value of TIMEOUT will be different on each chain. This could lead to a situation where the oracle validation will return different results on different chains.

Tools Used

Manual Review

Recommendations

Suggested solution: Adjust the value of TIMEOUT based on the specific block time of each chain to ensure consistent oracle validation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.