`ChainlinkARBOracle.addTokenMaxDelay` function is missing upper & lower bound checks
Summary
ChainlinkARBOracle.addTokenMaxDelay function is missing upper & lower bound checks
Vulnerability Details
-
ChainlinkARBOracle.addTokenMaxDelayfunction is used by the contract owner to add a maximum delay for a chainlimk response for a specific token, and this value is used to check if the chainlink token price is frozen before returning the token price:function _chainlinkIsFrozen(ChainlinkResponse memory response,address token) internal view returns (bool) {return (block.timestamp - response.timestamp) > maxDelays[token];} -
So if the
maxDelays[token]is set to a very low value; this will lead to not returning the price as the above check will alwasy return true indicating that chainlink is frozen. -
And if this value is set to a very high value; then the
_chainlinkIsFrozenwill return fals indicating that the chainlink is not frozen if it's frozen and the price it returned is stale
Impact
Since there's no check on the maxDelay value before assigning it; this will result in an incorrect staleness check on the returned answer from the aggregators; which will lead to using invalid/corrupted token price in the protocol.
Proof of Concept
ChainlinkARBOracle.addTokenMaxDelay function
Tools Used
Manual Review.
Recommendations
Add a lower bound and upper bound check for this value before assigning/updating it.
Lead Judging Commences
INFO: Unnecessary maxDelay/maxDeviation check
Redundant check on maxDelay and/or maxDeviation in ARBOracle
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.