Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: medium

Oracle Staleness Not Enforced Leads to Mispriced Accounting

Author Revealed upon completion

Root + Impact

Description

  • Under normal behavior, the protocol relies on StrataxOracle to provide timely and accurate pricing data to correctly value deposits, withdrawals, or positions.

The issue is that oracle price data is consumed without enforcing freshness guarantees, allowing outdated prices to be used long after market conditions have changed, leading to incorrect accounting and unfair value transfers.

// Root cause in the codebase with @> marks to highlight the relevant section
// Stratax.sol
// @> Price fetched without staleness validation
uint256 price = oracle.getPrice(asset);

Risk

Likelihood:

  • Occurs whenever oracle updates are delayed or temporarily halted.

Manifests during normal deposit or withdrawal operations.

Impact:

  • Users interact using stale prices and receive incorrect asset valuations.

Protocol accounting diverges from real market value, disadvantaging honest users.

Proof of Concept

// Oracle price remains unchanged during market move
oracle.lastPrice = 100;
// Market price drops to 50 (oracle not updated)
// User deposits using inflated price
deposit(assets); // credited at incorrect valuation

Recommended Mitigation

- remove this code
+ add this code
+ require(
+ block.timestamp - oracle.lastUpdate(asset) <= MAX_PRICE_DELAY,
+ "Stale oracle price"
+ );

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!