PriceFeed congestion may result in delayed price updates

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L202-L203

Vulnerability details

Impact

Prices may expire and incorrect prices may appear.

Proof of Concept

According to the current price logic, 5 nodes vote, and 3 PriceFeeds need to agree before the price will be updated correctly. Imagine a situation where the price needs to be updated when the price drops, if there are 2 votes in favor and 2 votes against. There is also a PriceFeed that has been delayed in voting due to network problems and other reasons. At this time, there will be a delay in price updates, and users may make profits through harvest. The protocol cannot prevent this loss in time.

Tools Used

manual

Recommended Mitigation Steps

It is recommended to prepare backup measures for price updates. Or add more PriceFeeds.

Assessed type

Oracle

[Scorpiondeng]

Hello judge, the bot did not push this issue to finding. It is possible that the vote failed due to unexpected delays.

[alex-ppg]

Hey @Scorpiondeng, I appreciate your due diligence! The price feed roles are partially trusted and the behavior outlined does not result in any significant impact as the administrator can re-assign roles.