Insufficient Validation of Heartbeat for Oracle Price Feeds
Summary
Hardcoded heartbeat value in the LibOracle.baseOracleCircuitBreaker function.
Vulnerability Details
The LibOracle.baseOracleCircuitBreaker function is responsible for validating the getLatestData function of the base oracle. While the ETH/USD price feed should ideally be used for the base oracle, it lacks sufficient validation for the heartbeat. Currently, a hardcoded heartbeat value of 2 hours (7200 seconds) is set for the ETH/USD price feed, which is not recommended. The recommended heartbeat value is 3600 seconds. Due to this discrepancy, there is a possibility that the getOraclePrice function may return stale prices.
You can find the appropriate heartbeat values in Chainlink's list of Ethereum mainnet price feeds by checking the "Show More Details" section.
Impact
This vulnerability results in insufficient staleness checks for the asset's price.
Tool Used
Manual Review
Recommendation
To address this issue, it is recommended to implement proper validation for the price feed. The code modification can be made as follows:
Ensure that the heartbeat value is set to 3600 seconds for the ETH/USD price feed to avoid returning stale prices.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.