search

hats-finance / Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77

Core smart contracts of Velvet Capital
Other
0 stars 1 forks source link

`PriceOracle` uses same stale period for all data feeds #27

Open hats-bug-reporter[bot] opened 1 week ago

hats-bug-reporter[bot] commented 1 week ago

Github username: @@deadrosesxyz Twitter username: @deadrosesxyz Submission hash (on-chain): 0xcfc3b04a3854a4535f46dd36ba508f6142b80f5b8371a105020f6012ce8a0f8b Severity: medium

Description: Description\ PriceOracle uses same stale period for all data feeds

Attack Scenario\ Different Chainlink data feeds have different heartbeats. For some feeds it is 1 hour and for some it is up to 48 hours. Using the same oracleExpirationThreshold value of all data feeds would lead to one of the two possible scenarios:

  1. If a lower value is chosen, it would often cause a DoS when a data feed with larger heartbeat has not been recently updated
  2. If a larger value is chosen, it would allow for stale data to be used from feeds with smaller heartbeats.

Every data feed should have its own oracleExpirationThreshold after which the data would be deemed stale.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

langnavina97 commented 1 week ago

DUPLICATE #9

This issue is out of scope as it has already been addressed by the auditors. We decided not to make any changes since the price oracle is only being used for the performance fee.

@deadrosesxyz