Stale period maxDelay values not sanity checked
Summary
Not choosing maxDelays correctly can lead to consuming stale data or oracle not working
Vulnerability Details
The stale period as obtained by maxDelays[token] is obtained from the values input by the owner function
As can be seen the input maxDelay is not sanity checked so zero value, too small a value or too high a value is used.
On Arbitrum, the oracle will update the price data every ~24 hours if delay input is too low leading to revert transactions whereas values higher than 24 hours eg 72 hours can lead to stale data
Impact
Most price feeds on ARbitrum reasonable delay and default is 24 hours many tokens. Values way low than this leads to reverts whereas values too high e.g 72 hours leads to stale prices
Tools Used
Manual Analysis
Recommendations
Recommended since most price feeds and looking at tokens used all likely work well with the common 24 hours period for Arbirum. Recommended to default this value to 24 hours at the start and when changing there is sanity checks that for certain token it must be within a certain range e.g 20<x<40 hours etc. Proper input validation should be implemented.
Lead Judging Commences
Centralization Risk
Impact: High Likelihood: Low Centralization risk is regarded a known issue. This tag will include all submissions : - Admin setter functions without validations
Centralization Risk
Impact: High Likelihood: Low Centralization risk is regarded a known issue. This tag will include all submissions : - Admin setter functions without validations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.