Submission Details
Severity:
`MarketConfiguration.update()` doesn't update `priceFeedHeartbeatSeconds`.
Github link
Summary
MarketConfiguration.update() doesn't update priceFeedHeartbeatSeconds.
Vulnerability Details
When updatePerpMarketConfiguration() is called to update the market configuration, it calls MarketConfiguration.update() with MarketConfiguration.Data.
But in update(), it doesn't update priceFeedHeartbeatSeconds.
function update(Data storage self, Data memory params) internal { //@audit priceFeedHeartbeatSeconds
self.name = params.name;
self.symbol = params.symbol;
self.priceAdapter = params.priceAdapter;
self.initialMarginRateX18 = params.initialMarginRateX18;
self.maintenanceMarginRateX18 = params.maintenanceMarginRateX18;
self.maxOpenInterest = params.maxOpenInterest;
self.maxSkew = params.maxSkew;
self.maxFundingVelocity = params.maxFundingVelocity;
self.minTradeSizeX18 = params.minTradeSizeX18;
self.skewScale = params.skewScale;
self.orderFees = params.orderFees;
}
So priceFeedHeartbeatSeconds will remain as 0 and getPrice() won't work properly.
try priceFeed.latestRoundData() returns (uint80, int256 answer, uint256, uint256 updatedAt, uint80) {
if (block.timestamp - updatedAt > priceFeedHeartbeatSeconds) {
revert Errors.OraclePriceFeedHeartbeat(address(priceFeed));
}
Impact
It's impossible to get prices from Chainlink.
Tools Used
Manual Review
Recommendations
update() should update priceFeedHeartbeatSeconds.
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`MarketConfiguration::update` function lacks `priceFeedHeartbeatSeconds` argument
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,87821 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.