Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Oracle Staleness Not Enforced Leads to Mispriced Accounting

pushprakash23

Root + Impact

Description

  • Under normal behavior, the protocol relies on StrataxOracle to provide timely and accurate pricing data to correctly value deposits, withdrawals, or positions.

The issue is that oracle price data is consumed without enforcing freshness guarantees, allowing outdated prices to be used long after market conditions have changed, leading to incorrect accounting and unfair value transfers.

// Root cause in the codebase with @> marks to highlight the relevant section
// Stratax.sol
// @> Price fetched without staleness validation
uint256 price = oracle.getPrice(asset);

Risk

Likelihood:

  • Occurs whenever oracle updates are delayed or temporarily halted.

Manifests during normal deposit or withdrawal operations.

Impact:

  • Users interact using stale prices and receive incorrect asset valuations.

Protocol accounting diverges from real market value, disadvantaging honest users.

Proof of Concept

// Oracle price remains unchanged during market move
oracle.lastPrice = 100;
// Market price drops to 50 (oracle not updated)
// User deposits using inflated price
deposit(assets); // credited at incorrect valuation

Recommended Mitigation

- remove this code
+ add this code
+ require(
+ block.timestamp - oracle.lastUpdate(asset) <= MAX_PRICE_DELAY,
+ "Stale oracle price"
+ );
Updates

Lead Judging Commences

izuman Lead Judge 16 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Price feed has no staleness check

StrataxOracle contract fails to check if the price is stale, which can mess up swap calculations.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!