Different Oracle Feeds Require Different Staleness Thresholds
Summary
The UpdateWeightRunner contract uses a single global staleness threshold for all oracle feeds, which fails to account for different update frequencies across different price feeds. This can lead to either premature rejection of valid prices or acceptance of stale prices.
Vulnerability Details
In the UpdateWeightRunner contract, the staleness check is implemented using a single global threshold:
The issue arises because different oracle feeds have different update frequencies. For example ARB/USD updates once a day, while DAI/USD updates every hour.
Using a single threshold means:
If set too low: Feeds with longer update intervals will be marked stale even when operating normally -> frequent downtime
If set too high: Feeds that should be considered stale will be accepted => incorrect pool weights and incorrect pricing for LP's
Impact
Frequent DoS and incorrect weights applied
Frequent downtime (DoS)
Incorrect pool weight calculations
Mispriced assets in the pool
Potential exploitation through arbitrage when stale prices deviate from market prices
Tools Used
Manual Review
Recommendations
Implement oracle-specific staleness thresholds:
This allows:
Setting appropriate thresholds per oracle feed
Accommodating different update frequencies
More precise staleness detection
Better risk management per price feed
Lead Judging Commences
invalid_oracle_same_threshold_for_assets_in_pool
This is by design, staleness is a strategy aspect: it requires all data to have been updated within n minutes. No more precision needed.
Appeal created
invalid_oracle_same_threshold_for_assets_in_pool
This is by design, staleness is a strategy aspect: it requires all data to have been updated within n minutes. No more precision needed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.