Algo Ssstablecoinsss

AI First Flight #2
Beginner FriendlyDeFi
EXP
View results
Submission Details
Severity: medium
Valid

# Staleness `TIMEOUT` of 72 hours far exceeds Chainlink feed heartbeats, so multi-hour-stale prices are treated as fresh

Staleness TIMEOUT of 72 hours far exceeds Chainlink feed heartbeats, so multi-hour-stale prices are treated as fresh

Severity: Low · Impact: Medium · Likelihood: Low

Description

  • The oracle library exists specifically to freeze the protocol when a Chainlink feed goes stale (per its own docstring: "If a price is stale, functions will revert... We should use the Chainlink feed heartbeat to determine if a feed is stale or not"). The correct freshness bound for a feed is its heartbeat — the maximum interval Chainlink guarantees between updates.

  • Instead, the library hardcodes a single TIMEOUT of 72 * 3600 (259,200 seconds = 72 hours) and applies it to every feed. The collateral feeds it guards — ETH/USD and BTC/USD — have heartbeats on the order of ~1 hour (and a 0.5% deviation threshold). A 72-hour window is therefore roughly 70× longer than the feed's actual staleness bound, so a price that has not updated for up to ~71 hours past its heartbeat is still treated as fresh and used verbatim in every collateral valuation.

  • Because the same constant is shared across all feeds, it also cannot be right for a fork that adds feeds with different heartbeats — directly at odds with the "swap out WETH & WBTC for any basket of assets" design goal, where each new feed may have a materially different heartbeat.

@> TIMEOUT: constant(uint256) = 72 * 3600 # 259,200s — ~70x the ~1h ETH/BTC heartbeat
...
seconds_since: uint256 = block.timestamp - updated_at
@> assert seconds_since <= TIMEOUT, "DSCEngine_StalePrice" # only reverts after 72h

Risk

Likelihood:

  • Occurs whenever a feed stops updating for longer than its heartbeat but less than 72 hours — a routine Chainlink degradation (feed pause, sequencer/oracle hiccup, market halt) that this check is meant to catch but silently accepts for up to three days.

Impact:

  • Every price-dependent action — deposit_collateral_and_mint_dsc, mint_dsc, redeem_collateral, and liquidate — executes against a price up to 72 hours old, mispricing collateral for the entire window.

  • During a fast price move that a stale feed hasn't reflected, this enables both under-collateralized minting (borrowing against an overstated collateral value) and wrongful liquidations (positions liquidated on an outdated price), i.e. direct value loss on both sides while the feed is stale-but-within-72h.

Proof of Concept

Save the block below as tests/poc_l1.py inside the cloned repo and run mox test tests/poc_l1.py. A price that has not updated for 71 hours — ~70 heartbeats stale — is still accepted and used; only past the full 72-hour window does the guard finally revert.

import boa
from eth_utils import to_wei
from src import dsc_engine, decentralized_stable_coin
from src.mocks import mock_token, MockV3Aggregator
HOUR = 3600
def _deploy():
dsc = decentralized_stable_coin.deploy()
weth = mock_token.deploy()
other = mock_token.deploy()
eth_usd = MockV3Aggregator.deploy(8, 2_000 * 10**8)
other_usd = MockV3Aggregator.deploy(8, 2_000 * 10**8)
engine = dsc_engine.deploy(
[weth.address, other.address], [eth_usd.address, other_usd.address], dsc
)
dsc.set_minter(engine.address, True)
dsc.transfer_ownership(engine.address)
return engine, weth, eth_usd
def test_stale_price_within_72h_is_accepted():
engine, weth, eth_usd = _deploy()
eth_usd.updateAnswer(2_000 * 10**8) # fresh price at t0
# 71 hours pass with NO feed update. ETH/USD heartbeat is ~1h, so this price
# is ~70 heartbeats stale -- but the 72h TIMEOUT still accepts it.
boa.env.time_travel(seconds=71 * HOUR)
value = engine.get_usd_value(weth.address, to_wei(1, "ether"))
assert value == to_wei(2_000, "ether") # stale 71h price used as if fresh
# Only once past the 72h window does it finally revert.
boa.env.time_travel(seconds=2 * HOUR) # now ~73h stale
with boa.reverts("DSCEngine_StalePrice"):
engine.get_usd_value(weth.address, to_wei(1, "ether"))

Recommended Mitigation

Replace the single global 72-hour constant with a per-feed timeout sized to each feed's actual heartbeat (plus a small buffer), stored alongside the price-feed mapping when a collateral/feed is registered, and validate seconds_since against that per-feed value.

- TIMEOUT: constant(uint256) = 72 * 3600
+ # set per feed at registration, e.g. ~1h heartbeat + buffer for ETH/USD & BTC/USD
+ feed_to_timeout: public(HashMap[address, uint256])
...
seconds_since: uint256 = block.timestamp - updated_at
- assert seconds_since <= TIMEOUT, "DSCEngine_StalePrice"
+ assert seconds_since <= self.feed_to_timeout[price_price_address], "DSCEngine_StalePrice"
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] The TIMEOUT is set as a fixed constant of 72 hours, which makes it inflexible in adapting to the market price.

## Description In this contract, the TIMEOUT is set as a fixed constant (72 hours, or 259200 seconds). This means that if the oracle price data is not updated within 72 hours, the data will be considered outdated, and the contract will trigger a revert. ## Vulnerability Details At this location in the code, <https://github.com/Cyfrin/2024-12-algo-ssstablecoinsss/blob/4cc3197b13f1db728fd6509cc1dcbfd7a2360179/src/oracle_lib.vy#L15> ```Solidity TIMEOUT: constant(uint256) = 72 * 3600 ``` the timeout is directly set to 72 hours. For an oracle, which cannot dynamically adjust the price updates, this is a suboptimal approach. ## Impact - Fixed Timeout: The TIMEOUT is hardcoded to 72 hours. In markets with frequent fluctuations or assets that require more frequent price updates, 72 hours might be too long. Conversely, if the timeout is too short, it could cause frequent errors due to the inability to update data in time, disrupting normal contract operations. - Non-adjustable Timeout: If the contract's requirements change (e.g., market conditions evolve or the protocol requires more flexibility), the fixed TIMEOUT cannot be dynamically adjusted, leading to potential mismatches with current needs. - Lack of Flexibility: The current timeout mechanism is static and cannot be adjusted based on market volatility or the frequency of oracle updates. In volatile markets, a shorter TIMEOUT might be necessary, while in stable markets, a longer timeout would be more appropriate. \##Tools Used Manual review ## Recommendations Introduce a dynamic price expiration mechanism that adjusts based on market conditions. Use volatility data (such as standard deviation or market price fluctuation) to dynamically adjust the timeout period. This can be achieved by monitoring market volatility and adjusting the TIMEOUT accordingly: ```Solidity # Monitor market volatility and dynamically adjust TIMEOUT @external def adjustTimeoutBasedOnVolatility(volatility: uint256): if volatility > HIGH_VOLATILITY_THRESHOLD: self.TIMEOUT = SHORTER_TIMEOUT # In high volatility, decrease TIMEOUT else: self.TIMEOUT = LONGER_TIMEOUT # In stable market, increase TIMEOUT log TimeoutAdjusted(self.TIMEOUT) ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!