Algo Ssstablecoinsss

First Flight #30
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: medium
Valid

The TIMEOUT is set as a fixed constant of 72 hours, which makes it inflexible in adapting to the market price.

Summary

In this contract, the TIMEOUT is set as a fixed constant (72 hours, or 259200 seconds). This means that if the oracle price data is not updated within 72 hours, the data will be considered outdated, and the contract will trigger a revert.

Vulnerability Details

At this location in the code,
https://github.com/Cyfrin/2024-12-algo-ssstablecoinsss/blob/4cc3197b13f1db728fd6509cc1dcbfd7a2360179/src/oracle_lib.vy#L15

TIMEOUT: constant(uint256) = 72 * 3600

the timeout is directly set to 72 hours. For an oracle, which cannot dynamically adjust the price updates, this is a suboptimal approach.

Impact

  • Fixed Timeout: The TIMEOUT is hardcoded to 72 hours. In markets with frequent fluctuations or assets that require more frequent price updates, 72 hours might be too long. Conversely, if the timeout is too short, it could cause frequent errors due to the inability to update data in time, disrupting normal contract operations.

  • Non-adjustable Timeout: If the contract's requirements change (e.g., market conditions evolve or the protocol requires more flexibility), the fixed TIMEOUT cannot be dynamically adjusted, leading to potential mismatches with current needs.

  • Lack of Flexibility: The current timeout mechanism is static and cannot be adjusted based on market volatility or the frequency of oracle updates. In volatile markets, a shorter TIMEOUT might be necessary, while in stable markets, a longer timeout would be more appropriate.
    ##Tools Used

Manual review

Recommendations

Introduce a dynamic price expiration mechanism that adjusts based on market conditions. Use volatility data (such as standard deviation or market price fluctuation) to dynamically adjust the timeout period. This can be achieved by monitoring market volatility and adjusting the TIMEOUT accordingly:

# Monitor market volatility and dynamically adjust TIMEOUT
@external
def adjustTimeoutBasedOnVolatility(volatility: uint256):
if volatility > HIGH_VOLATILITY_THRESHOLD:
self.TIMEOUT = SHORTER_TIMEOUT # In high volatility, decrease TIMEOUT
else:
self.TIMEOUT = LONGER_TIMEOUT # In stable market, increase TIMEOUT
log TimeoutAdjusted(self.TIMEOUT)
Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The TIMEOUT is too long and defined as constant

The hearbeat for ETH/USD and BTC/USD price feeds is 86400s, but the TIMEOUT that is used in the protocol is 259200s and it can't be changed because it is defined as constant.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.