Closed code423n4 closed 2 years ago
This is a valid finding however, it assumes that the requestCPIData function does not get called on the 15th of every month which will happen automatically by multiple bots whose sole purpose is to ensure this function gets called.
Dup #52
Lines of code
https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L50 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L77 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L136 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L140
Vulnerability details
Impact
Potential denial of service for CPI update up to 14 days due timelock duration and allowed update timeframe.
Proof of Concept
ScalingPriceOracle.requestCPIData
rejects updates during the first 14 days of a month. Additionally, two updates must be separated by at least 28 days.This creates a scenario where if the update of January is done late (e.g. 1/31 23:59), the time window available for requesting a CPI update for February becomes extremely small. Combined with the fact that it is hard to guarantee fast transaction acceptance on chains, it becomes increasingly possible to miss an update.
The 14 days rule then amplifies the affect since CPI cannot be updated for the first 14 days of March, leading to imprecision in the calculated price.
Tools Used
vim, ganache-cli
Recommended Mitigation Steps
Change the
TIMEFRAME
to some more forgiving 25~27 days.