Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Chainlink Data Streams Timestamp Mismatch in Swap Execution

0xexploud

Summary

The UsdTokenSwapKeeper.checkLog() function uses block.timestamp instead of the log.timestamp in revert StreamsLookup call. It can lead to incorrect prices being used in the swap as the block timestamp may not accurately reflect the event emission time.

Vulnerability Details

In the UsdTokenSwapKeeper.checkLog() function, when requesting price data through Chainlink's Data Streams, the code uses block.timestamp as the timestamp parameter in the StreamsLookup revert call:

revert StreamsLookup(DATA_STREAMS_FEED_LABEL, streams, DATA_STREAMS_QUERY_LABEL, block.timestamp, extraData);

However, Chainlink's recommended implementation specifically uses log.timestamp:

// This function uses revert to convey call information.
// See https://eips.ethereum.org/EIPS/eip-3668#rationale for details.
function checkLog(
Log calldata log,
bytes memory
) external returns (bool upkeepNeeded, bytes memory performData) {
revert StreamsLookup(
DATASTREAMS_FEEDLABEL,
feedIds,
DATASTREAMS_QUERYLABEL,
log.timestamp,
""
);
}

The block.timestamp represents the time when the block containing the transaction is mined, while log.timestamp represents the actual time when the event was emitted.

Impact

Swaps executes at incorrect prices.

Tools Used

Manual Review, VSCode

Recommendations

Modify the checkLog function to use log.timestamp instead of block.timestamp in the StreamsLookup revert

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

StreamsLookup revert should use log.timestamp instead of block.timestamp

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!