High Severity - Incorrect Timestamp Validation at `StabilityConfiguration` (Stale Price Reports)
Summary
The timestamp validation logic in StabilityConfiguration.sol incorrectly verifies Chainlink price reports, allowing stale or expired data to be accepted. This occurs due to missing checks against the report's validUntilTimestamp and improper validity window enforcement.
Vulnerability Details
The StabilityConfiguration::verifyOffchainPrice function checks block.timestamp > validFromTimestamp + maxVerificationDelay but neglects two critical validations:
-
Does not verify against Chainlink's validUntilTimestamp expiration time
-
Fails to ensure (validUntil - validFrom) <= maxVerificationDelay
This allows two dangerous scenarios:
-
Expired Reports Accepted: If validUntilTimestamp has passed but validFrom + maxDelay hasn't, expired data is used
-
Overly Long Validity Windows: Reports with validity periods exceeding maxVerificationDelay are permitted
Code References:
Proof of Concept:
Consider a report with:
validFromTimestamp = 1000
validUntilTimestamp = 1500
maxVerificationDelay = 1000
At block.timestamp = 1600:
Current check passes: 1600 <= 1000+1000 (2000)
Actual validity expired at 1500
The protocol would accept a report that has been invalid for 100 blocks.
Impact
Traders could be liquidated based on stale prices
Incorrect profit/loss calculations for positions
Potential arbitrage opportunities draining protocol funds
Systemic risk to USDz stablecoin peg maintenance
Tools Used
Manual code analysis
Chainlink documentation review
Timestamp manipulation testing
Recommendations
Lead Judging Commences
Missing `validUntilTimestamp` check
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.