RenzoOracle fetches prices from Chainlink. The primary impact is the potential use of stale price data due to very long heartbeat rate of the tokens in use (stETH24 is 24hours on chainlink), which can significantly affect the accuracy and reliability of the contract's operations, especially in volatile markets. This discrepancy could also introduce inefficiencies in how the contract operates, as it waits for a long period before considering the data stale
Proof of Concept
function getMintRate() public view returns (uint256, uint256) {
(, int256 price, , uint256 timestamp, ) = oracle.latestRoundData();
if (timestamp < block.timestamp - MAX_TIME_WINDOW) revert OraclePriceExpired();
// scale the price to have 18 decimals
uint256 _scaledPrice = (uint256(price)) * 10 ** (18 - oracle.decimals());
if (_scaledPrice < 1 ether) revert InvalidOraclePrice();
return (_scaledPrice, timestamp);
}
Tools Used
Manual review
Recommended Mitigation Steps
Use the stETH/USD oracle instead because it has a 1-hour heartbeat.
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Bridge/L2/Oracle/RenzoOracleL2.sol#L11-L13
Vulnerability details
Impact
RenzoOracle
fetches prices from Chainlink. The primary impact is the potential use of stale price data due to very long heartbeat rate of the tokens in use (stETH24 is 24hours on chainlink), which can significantly affect the accuracy and reliability of the contract's operations, especially in volatile markets. This discrepancy could also introduce inefficiencies in how the contract operates, as it waits for a long period before considering the data staleProof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
Use the stETH/USD oracle instead because it has a 1-hour heartbeat.
Assessed type
Oracle