Wrong checks in addTokenMaxDelay and addTokenMaxDeviation could lead to DoS
Summary
Inside ChainlinkARBOracle are two functions called addTokenMaxDelay and addTokenMaxDeviation which can be used by the owner of contract to update parameters of chainlink feeds. These functions check if the given uint value is smaller than zero instead of checking if it is zero. This is a waste of gas as an uint value can not be below zero and the actual check if the given value is equal to zero is missing, as a zero value of these parameters would lead to a DoS of the oracle.
Vulnerability Details
Here are the mentioned checks:
MaxDeviation is here to check the maximum deviation between the previous price and the current price, therefore a DoS would happen on any price changes if maxDeviation equals zero.
MaxDelay is here to check the maximum delay of the chainlink oracle response time, therefore a DoS would happen if this variable is zero.
Impact
Wrong checks still allow zero maxDeviation and zero maxDelay. Which will lead to a DoS of the oracle if accidentally set and also waste gas as they check something that can not happen in solidity.
Tools Used
Manual Review
Recommendations
Change it to == 0.
Lead Judging Commences
INFO: Unnecessary maxDelay/maxDeviation check
Redundant check on maxDelay and/or maxDeviation in ARBOracle
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.