Unbounded oracleStalenessThreshold May Allow Use of Extremely Stale Oracle Data
Summary
Inside the initialize() function:
there is no validation of _oracleStalenessThreshold to ensure it falls within a reasonable range. If _oracleStalenessThreshold is set to a very large or zero value, the contract may:
Treat extremely stale data as valid, causing the pool to rely on outdated oracle inputs for an indefinite period.
Accept a threshold of 0, possibly preventing any oracle data from being used if the logic checks for time differences strictly.
Vulnerability Details
Impact
Data Manipulation or Inaccuracy: Attackers or misconfigured oracles could exploit an unbounded threshold, letting the pool operate on unrefreshed data for a very long time or prematurely invalidating fresh data.
https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L360C60-L360C84
https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L372
Tools Used
Manual audit
Recommendations
Implement Range Checks: Enforce a meaningful minimum and maximum value for _oracleStalenessThreshold. For example:
Adjust the bounds according to the desired update frequency of your oracles.
2. Document Valid Thresholds: Make it clear in the contract’s docs or comments what an acceptable threshold range is, and why.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.