search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

`requestCPIData` timeout potentially denies price update for February #63

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L50 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L77 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L136 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L140

Vulnerability details

Impact

Potential denial of service for CPI update up to 14 days due timelock duration and allowed update timeframe.

Proof of Concept

ScalingPriceOracle.requestCPIData rejects updates during the first 14 days of a month. Additionally, two updates must be separated by at least 28 days.

This creates a scenario where if the update of January is done late (e.g. 1/31 23:59), the time window available for requesting a CPI update for February becomes extremely small. Combined with the fact that it is hard to guarantee fast transaction acceptance on chains, it becomes increasingly possible to miss an update.

The 14 days rule then amplifies the affect since CPI cannot be updated for the first 14 days of March, leading to imprecision in the calculated price.

Tools Used

vim, ganache-cli

Recommended Mitigation Steps

Change the TIMEFRAME to some more forgiving 25~27 days.

ElliotFriedman commented 2 years ago

This is a valid finding however, it assumes that the requestCPIData function does not get called on the 15th of every month which will happen automatically by multiple bots whose sole purpose is to ensure this function gets called.

jack-the-pug commented 2 years ago

Dup #52