langnavina97
commented
1 week ago This issue is out of scope as it has already been addressed by the auditors. We decided not to make any changes since the price oracle is only being used for the performance fee.
Tri-pathi
Github username: -- Twitter username: -- Submission hash (on-chain): 0xdb1d03b9e1c9425e6fa34585398ac2572f3b0d2cddfac1e0788d1a366ed32a42 Severity: medium
Description: Description\
PriceOracle::oracleExpirationThresholduses sameoracleExpirationThresholdfor all the pricefeed.Same
[PriceOracle::oracleExpirationThreshold](https://github.com/hats-finance/Velvet-Capital-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/main/contracts/oracle/PriceOracleAbstract.sol#L57)is used for all the feeds which could give stale priceMost of pricefeed have heartbeat of 1 hr and 24 hr, as seen from the constructor the
oracleExpirationThresholdhas been set to 25 hours, which is way more than heartbeat of most of the pricefeedsThere are different type of pricefeeds with large range(1 min to 24 hr) of heartbeats so checking stale price on the basis of
oracleExpirationThresholdis completely wrongif heartbeat is < 1 hr(eg ETH/USDC Also used in test files, has heartbeat is 60 seconds), chainlink updates price, iff price crosses deviation threshold or heartbeat time passed. As price movement can be slow in stable market condition so price will be updated only at heartbeats. So for ETH/USDC price could be stale after 60 seconds but the current implmentation doesn't check this. It could use stale price for 25 hours
https://github.com/hats-finance/Velvet-Capital-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/main/contracts/oracle/PriceOracle.sol#L26
Use specific oracleExpirationThreshold for every feed