The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Heartbeat of chainlink price feeds is not checked.

0xsandy

Summary

Heartbeat of chainlink price feeds is not checked which can result in stale price.

Vulnerability Details

Different chainlink price feeds have different hearbeats ranging from like an hour to couple of days. Heartbeats are essentially the timeframes after which the price of the token pair is updated.

It is recommended to check the heatbeat of a token pair before using it's price to ensure the price chainlink oracle is returning is not the stale price.

Like the heartbeat of Arb/Usd token pair in Arbitrum is 86400s.

Thus, there should be check like:

require(block.timestamp - updatedAt < 86400, "Stale data");

Impact

Price feeds can return stale value.

Tools Used

Manual Analysis.

Recommendations

  1. Create a mapping like:

mapping(address => uint256) priceFeedStaleTimeFrame;

  1. Add all the Heartbeats of the token pairs inside this mapping.

  2. In every instance where the chainlink price oracle is used, add a check like this:

require(block.timestamp - updatedAt < priceFeedStaleTimeFrame[priceFeedAddress], "Stale data");
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Chainlink-price

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink-price

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.