15,000 USDC
View results
Submission Details
Severity: medium
Valid

block.timestamp may be unreliable in short term on L2s

Summary

The oracle not checking the return timestamp by arbitrum in the OracleLib.sol contract can cause the contract to use stale data. This can have a number of implications, including inaccurate or outdated data, loss of funds, and denial of service.

Vulnerability Details

Arbitrum treats .timestamp differently then EVM

Impact

The oracle not checking the return timestamp by arbitrum bug can have a significant impact on users of the OracleLib.sol contract. If the contract is using stale data, the results it provides may be inaccurate or outdated. This can lead to problems for users of the contract, such as making bad financial decisions or losing money. Additionally, if the contract fails to execute transactions properly, users may lose funds. Finally, if the contract is unavailable, users may not be able to use it. This can be a problem for users who rely on the contract for important services.

Tools Used

Manual Review

Recommendations

The protocol should implement require(timestamp != 0) as shown below

public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
+ require(timestamp != 0,"Stale Price");
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}
function getTimeout(AggregatorV3Interface /* chainlinkFeed */ ) public pure returns (uint256) {
return TIMEOUT;
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.