stETH/ETH chainlink oracle has too long of heartbeat

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Bridge/L2/Oracle/RenzoOracleL2.sol#L11-L13

Vulnerability details

Impact

RenzoOracle fetches prices from Chainlink. The primary impact is the potential use of stale price data due to very long heartbeat rate of the tokens in use (stETH24 is 24hours on chainlink), which can significantly affect the accuracy and reliability of the contract's operations, especially in volatile markets. This discrepancy could also introduce inefficiencies in how the contract operates, as it waits for a long period before considering the data stale

Proof of Concept

function getMintRate() public view returns (uint256, uint256) {
        (, int256 price, , uint256 timestamp, ) = oracle.latestRoundData();
        if (timestamp < block.timestamp - MAX_TIME_WINDOW) revert OraclePriceExpired();
        // scale the price to have 18 decimals
        uint256 _scaledPrice = (uint256(price)) * 10 ** (18 - oracle.decimals());
        if (_scaledPrice < 1 ether) revert InvalidOraclePrice();
        return (_scaledPrice, timestamp);
    }

Tools Used

Manual review

Recommended Mitigation Steps

Use the stETH/USD oracle instead because it has a 1-hour heartbeat.

Assessed type

Oracle

[c4-judge]

alcueca marked the issue as not a duplicate

[c4-judge]

alcueca changed the severity to QA (Quality Assurance)

[c4-judge]

alcueca marked the issue as grade-a

[c4-judge]

alcueca marked the issue as unsatisfactory: Invalid

[c4-judge]

This previously downgraded issue has been upgraded by alcueca

[c4-judge]

alcueca marked the issue as duplicate of #8

[c4-judge]

alcueca changed the severity to QA (Quality Assurance)

[c4-judge]

alcueca marked the issue as grade-a