Submission Details
Severity:
Chainlink heartbeats are hardcoded
Summary
Chainlink oracle adapters use hardcoded heartbeats of 4 hours and 4 days. However heartbeat on L2 oracles is much much less, for example it is 27 seconds for AAVE / USD on Polygon
As a result stale price will be used.
Vulnerability Details
In folder protocol/contracts/libraries/Oracle you can see it uses hardcoded timeouts LibChainlinkOracle.FOUR_HOUR_TIMEOUT and LibChainlinkOracle.FOUR_DAY_TIMEOUT when retrieves price from Chainlink
Impact
Protocol will use stale price
Tools Used
Manual Review
Recommendations
Do not hardcode usage of heartbeat because you're gonna deploy on L2.
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
Hardcoded Chainlink Heartbeats on L2
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Hardcoded Chainlink Heartbeats on L2
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.