Oracle Staleness TIMEOUT = 72 Hours Allows Stale Price Exploitation
Scope: src/oracle_lib.vy · src/dsc_engine.vy

Description
The oracle_lib module protects against stale Chainlink prices by reverting if the time since the last price update exceeds TIMEOUT. This ensures the protocol
only operates on fresh price data. However, TIMEOUT is hardcoded to 72 hours — far more permissive than the actual Chainlink heartbeats for both supported
collateral feeds:

oracle_lib.vy

TIMEOUT: constant(uint256) = 72 * 3600 # 72 hours

ETH/USD Chainlink heartbeat: 1 hour → TIMEOUT is 71× too permissive

BTC/USD Chainlink heartbeat: 24 hours → TIMEOUT is 3× too permissive

This creates a window of up to 71 hours where a completely stale ETH/USD price is accepted as valid, allowing attackers who monitor the real market price to
exploit the divergence between the stale on-chain price and the true off-chain price.

Impact
An attacker can exploit a stale price to mint DSC far beyond what the real collateral value supports, or to liquidate healthy positions that appear
undercollateralized against the outdated price. During high-volatility periods — exactly when oracle staleness is most likely — the protocol is most vulnerable
to extraction.

Proof of Concept
T = 0h ETH/USD = $3,000. Chainlink feed updates normally.
T = 1h Chainlink stops updating (network issue, keeper failure).
On-chain price remains $3,000.

T = 24h Real ETH price has crashed to $1,500.
Protocol still reads $3,000. Staleness check:
seconds_since = 24 * 3600 = 86,400
TIMEOUT = 72 * 3600 = 259,200
86,400 <= 259,200 → passes ✓ (stale price accepted)

Attacker deposits 1 ETH (real value: $1,500).
Protocol values it at $3,000 (stale price).
Attacker mints up to 1,500 DSC against $1,500 real collateral.
Real collateralization ratio: 100% — protocol requires 200% (LIQUIDATION_THRESHOLD=50).
Protocol accepts it because stale price says 200%.

T = 72h Feed resumes, price corrects to $1,500.
Attacker's position is immediately undercollateralized.
Protocol has issued DSC backed by insufficient collateral.

Mitigation
Replace the single hardcoded TIMEOUT with per-feed heartbeat values passed at construction. This aligns the staleness window exactly with Chainlink's
guaranteed update frequency — if the feed has not updated within its normal heartbeat window, the price is stale and must be rejected:

Store heartbeat per price feed at deployment

token_address_to_heartbeat: HashMap[address, uint256]

In _stale_check_latest_round_data, use per-feed heartbeat:

heartbeat: uint256 = self.token_address_to_heartbeat[price_feed]
assert seconds_since_last_update <= heartbeat, "OracleLib__StalePrice"

At construction:

ETH/USD feed → heartbeat = 3600 (1 hour)

BTC/USD feed → heartbeat = 86400 (24 hours)

Using the Chainlink-published heartbeat is safe because Chainlink guarantees an update within that window under normal conditions. Any staleness beyond it
indicates a feed failure and the protocol should halt rather than accept the outdated price.