search

sherlock-audit / 2023-01-sentiment-judging

2 stars 0 forks source link

ctf_sec - Hardcoded Price refreshness interval is too long #30

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ctf_sec

medium

Hardcoded Price refreshness interval is too long

Summary

Price refresh interval is too long

Vulnerability Detail

In the current implementation of the oracle integration,

the code validates if the price refreshness is up-to 86400

function getEthPrice() internal view returns (uint) {
    (, int answer,, uint updatedAt,) =
        ethUsdPriceFeed.latestRoundData();

    if (block.timestamp - updatedAt >= 86400)
        revert Errors.StalePrice(address(0), address(ethUsdPriceFeed));

    if (answer <= 0)
        revert Errors.NegativePrice(address(0), address(ethUsdPriceFeed));

    return uint(answer);
}

note the code:

if (block.timestamp - updatedAt >= 86400)
    revert Errors.StalePrice(address(0), address(ethUsdPriceFeed));

the price refreshness interval is 86400 seconds, which is one day.

Meaning if the price refreshness is more than one day, the price is invalidated.

However, the hardcoded setting of the 86400 price interval is too long.

Impact

The current setting of the price refreshness interval is one days, meaning when the price becomes stale the system can continue to operate and the stale price is used up to one day, which is clearly very vulnerable.

The stale price can invalidate the collateral pricing and leds to malicious or false liquidation within the period of one day.

Code Snippet

https://github.com/sherlock-audit/2023-01-sentiment/blob/main/oracle/src/gmx/GLPOracle.sol#L49

Tool used

Manual Review

Recommendation

Adjust the price refreshness interval to 10 minutes or 30 minutes or even 1 hours to avoid the stale price.

Duplicate of #3