In some edge cases the Price fetch from Chainlink will be stale.
Proof of Concept
The Protocol uses Chainlink oracle for real time price of tokens used in protocol.
There is a chance that the price return from chainlink might be stale. To prevent this case the protocol uses time window which indicates that the price return from Chainlink is either stale or not.
The Chainlink oracle used in Renzo have 84600s max-haartbeat.which meanse the price return in between (timestamp< block.timestamp-84600s) is a valid price rate.check here
But the Protocol add 60s more to this window time. the Price return in this extra 60s is not guaranteed to be correct.
Tools Used
Manual Review
Recommended Mitigation Steps
remove 60s time from MAX_TIME_WINDOW:
- uint256 public constant MAX_TIME_WINDOW = 86400 + 60;
+ uint256 public constant MAX_TIME_WINDOW = 86400;
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Bridge/L2/Oracle/RenzoOracleL2.sol#L13
Vulnerability details
Impact
In some edge cases the Price fetch from Chainlink will be stale.
Proof of Concept
The Protocol uses Chainlink oracle for real time price of tokens used in protocol. There is a chance that the price return from chainlink might be stale. To prevent this case the protocol uses time window which indicates that the price return from Chainlink is either stale or not. The Chainlink oracle used in Renzo have 84600s max-haartbeat.which meanse the price return in between
(timestamp< block.timestamp-84600s)
is a valid price rate.check here But the Protocol add60s
more to this window time. the Price return in this extra60s
is not guaranteed to be correct.Tools Used
Manual Review
Recommended Mitigation Steps
remove
60s
time fromMAX_TIME_WINDOW
:Assessed type
Oracle