Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`addTokenMaxDelay` function allows owner to set a maximum delay for each token's price update.

0xVinylDavyl

Summary

The addTokenMaxDelay function allows the owner to set a maximum delay for each token's price update. If an attacker gains control of the owner's address, they could set unreasonably long delays, leading to stale or outdated price data.

Vulnerability Details

As a malicious actor, It is possible to intentionally set long maximum delays, causing price data to become outdated, unreliable, or even irrelevant. Users and applications relying on timely price information could make poor financial decisions, experience losses, or encounter other negative consequences.

function addTokenMaxDelay(address token, uint256 maxDelay) external onlyOwner {
if (token == address(0)) revert Errors.ZeroAddressNotAllowed();
if (feeds[token] == address(0)) revert Errors.NoTokenPriceFeedAvailable();
if (maxDelay < 0) revert Errors.TokenPriceFeedMaxDelayMustBeGreaterOrEqualToZero();
maxDelays[token] = maxDelay;
}

Impact

The impact of this vulnerability is significant, as malicious actors can intentionally set long maximum delays, causing price data to become outdated, unreliable, or even irrelevant. Users and applications relying on timely price information could make poor financial decisions, experience losses, or encounter other negative consequences.

Tools Used

Manual

Recommended Mitigation Steps

  • Implement proper access control mechanisms to restrict who can modify the maximum delay for token price updates.

  • Consider using a modifier that allows only authorized addresses to call the function.

function addTokenMaxDelay(address token, uint256 maxDelay) external onlyOwner {
if (token == address(0)) revert Errors.ZeroAddressNotAllowed();
if (feeds[token] == address(0)) revert Errors.NoTokenPriceFeedAvailable();
if (maxDelay < 0) revert Errors.TokenPriceFeedMaxDelayMustBeGreaterOrEqualToZero();
maxDelays[token] = maxDelay;
}

Recommended (Modified ChainlinkARBOracle.sol):

// Add this modifier to the contract
modifier onlyOwnerOrAuthorized() {
require(msg.sender == owner() || msg.sender == authorizedAddress, "Not the owner or an authorized address");
_;
}
// Set an authorized address
address public authorizedAddress;
// Function to set the authorized address
function setAuthorizedAddress(address _authorizedAddress) external onlyOwner {
authorizedAddress = _authorizedAddress;
}
// Modify the addTokenMaxDelay function to include access control
function addTokenMaxDelay(address token, uint256 maxDelay) external onlyOwnerOrAuthorized {
require(token != address(0), "Token address cannot be zero");
require(feeds[token] != address(0), "No token price feed available");
require(maxDelay >= 0, "Token price feed max delay must be greater or equal to zero");
maxDelays[token] = maxDelay;
}

  • Implement a time lock mechanism that enforces a delay between the request to change the maximum delay and its execution. This allows users to detect and prevent unauthorized or malicious changes in time.

  • Consider requiring multiple parties to approve changes to the maximum delay. Multi-signature requirements can enhance security and prevent single points of failure.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

INFO: Unnecessary maxDelay/maxDeviation check

Redundant check on maxDelay and/or maxDeviation in ARBOracle

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.