DeFiHardhat
35,000 USDC
View results
Submission Details
Severity: low
Invalid

`Chainlink` oracle return stale price because of `FOUR_DAY_TIMEOUT` variable `LibChainlinkOracle` is set to 4 days

Summary

The LibChainlinkOracle library use FOUR_DAY_TIMEOUT constant that is set to 345600 (4 days). The duration is 4 time longer that Chainlink heartbeat which is 86400 (1 day).

Vulnerability Details

The LibWstethEthOracle::getWstethEthPrice accept lookback argument and return wstethEthPrice.

function getWstethEthPrice(uint256 lookback) internal view returns (uint256 wstethEthPrice) {
uint256 chainlinkPrice = lookback == 0 ?
LibChainlinkOracle.getPrice(WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, LibChainlinkOracle.FOUR_DAY_TIMEOUT) :
LibChainlinkOracle.getTwap(WSTETH_ETH_CHAINLINK_PRICE_AGGREGATOR, LibChainlinkOracle.FOUR_DAY_TIMEOUT, lookback);
// Check if the chainlink price is broken or frozen.
if (chainlinkPrice == 0) return 0;
uint256 stethPerWsteth = IWsteth(C.WSTETH).stEthPerToken();
chainlinkPrice = chainlinkPrice.mul(stethPerWsteth).div(CHAINLINK_DENOMINATOR);
// Uniswap V3 only supports a uint32 lookback.
if (lookback > type(uint32).max) return 0;
uint256 uniswapPrice = LibUniswapOracle.getTwap(
lookback == 0 ? LibUniswapOracle.FIFTEEN_MINUTES :
uint32(lookback),
WSTETH_ETH_UNIV3_01_POOL, C.WSTETH, C.WETH, ONE
);
// Check if the uniswapPrice oracle fails.
if (uniswapPrice == 0) return 0;
if (LibOracleHelpers.getPercentDifference(chainlinkPrice, uniswapPrice) < MAX_DIFFERENCE) {
wstethEthPrice = chainlinkPrice.add(uniswapPrice).div(AVERAGE_DENOMINATOR);
if (wstethEthPrice > stethPerWsteth) wstethEthPrice = stethPerWsteth;
wstethEthPrice = wstethEthPrice.div(PRECISION_DENOMINATOR);
}
}

Impact

The Chainlink heartbeat is 86400 (1 day) as you can see on this link :
https://docs.chain.link/data-feeds/price-feeds/addresses?network=ethereum&page=1&search=0x86392dC19c0b719886221c78AB11eb8Cf5c52812

But even when the lookback==0 the function uses FOUR_DAY_TIMEOUT which is significantly longer than the heartbeat, making the library accept data that may no longer reflect current market conditions, and in volatile markets 4 day window can lead to outdated prices, increasing the risk of outdated prices and price slippage. Also it could lead to inaccurate data especially where precision and decision-making is crucial and can have serious impact on protocol and it's functionality and reliability.

Tools Used

Manual Review

Recommendations

Reduce FOUR_DAY_TIMEOUT to be more close with Chainlink heartbeat this will improve relevance of the price data.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink timeout

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.