Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

Submission Details

Severity: medium

Valid

The following two issues may cause users to get Chainlink prices that are not up to date

The following two issues are likely to cause significant deviations in the value of the user's acquisition of collateral tokens in dollars

Check 01：The TIMEOUT value is set to 3 hours,The price used by the user may not be up to date, which may result in the value of the collateral on the user's account being misestimated
Check 02：updatedAt is not checked for data,When updatedAt = 0, secondsSince = block.timestamp,And block.timestamp may be manipulated maliciously. This can lead to potentially incorrect behavior.
Impact: This will directly and significantly impact the accuracy of the prices obtained from the getTokenAmountFromUsd and getUsdValue functions.

As shown in the figure: 111

Manual Review

Validate that updatedAt has been updated recently enough: 【PS：Reference： https://github.com/code-423n4/2023-02-kuma-findings/issues/11 】

if (updatedAt == 0) {

revert OracleLib__StalePrice();

}

It is not recommended to use 'block.timestamp' as a time proxy 【PS：Reference：Block values as time proxies 】
You are advised to set the value of TIMEOUT to 0.5 ~ 2 hours

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

The contest is live. Earn rewards by submitting a finding.

Submissions are being carefully reviewed by our judges.

This is your time to appeal against judgements on your submissions.

Appeals are being carefully reviewed by our judges.

The contest is complete and the rewards are being distributed.

Support

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.