QuantAMM

Summary

The current implementation uses a single oracleStalenessThreshold constant for all Chainlink price feeds in the updateWeightRunner.sol. This approach is problematic because different price feeds have vastly different heartbeat intervals. For example, the ETH/USD feed has a heartbeat of 1 hour, while the AMPL/USD feed has a heartbeat of 48 hours.
Using a single threshold for all feeds can lead to two critical issues:

• For feeds with shorter heartbeats (e.g., ETH/USD), the current implementation allows prices to be considered fresh for up to 23 hours longer than intended. This could result in the use of severely outdated prices, potentially causing significant financial losses.

• For feeds with longer heartbeats (e.g., AMPL/USD), the current threshold might incorrectly flag fresh prices as stale, potentially causing unnecessary service interruptions.

• A real-world incident highlighting the risks of this approach occurred when the Chainlink ETH/USD price feed experienced a 6-hour delay. In such scenarios, using outdated prices could lead to substantial financial losses or incorrect contract executions. https://cryptobriefing.com/chainlink-experiences-6-hour-delay-eth-price-feed/

Vulnerability Details

Using a single oracleStalenessThreshold for all price feeds disregards their individual heartbeat intervals, leading to:

• Overstating freshness for feeds with shorter heartbeats.

• Understating freshness for feeds with longer heartbeats.

Impact

1. Financial loss from using outdated or incorrect price data.

2. Potential contract execution failures or disruptions in protocol operations.

Tools Used

Manual Review

Recommendations

Check the staleness for each oracle feed.