Setting maxDelayTimes for a token at the lowest possible value would DOS the protocol
Vulnerability Detail
Every oracle checks the price fetched is fresh: that is, that it was received within a set maxDelayTimes
The issue is that maxDelay can be set as low as 10.
As the block period on Ethereum is 12, this means such a value would cause all the getPrice functions to revert - unless the function call happens in the same block as the oracle price update.
Impact
The getPrice function reverting would lead to IchiVaultSpell._validateMaxLTV() reverting, making it impossible to open positions.
joestakey
medium
lower
maxDelayboundary would DOS the protocolSummary
Setting
maxDelayTimesfor a token at the lowest possible value would DOS the protocolVulnerability Detail
Every oracle checks the price fetched is fresh: that is, that it was received within a set
maxDelayTimesThe issue is that
maxDelaycan be set as low as10.As the block period on Ethereum is
12, this means such a value would cause all thegetPricefunctions to revert - unless the function call happens in the same block as the oracle price update.Impact
The
getPricefunction reverting would lead toIchiVaultSpell._validateMaxLTV()reverting, making it impossible to open positions.Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/BaseAdapter.sol#L24
Tool used
Manual Review
Recommendation
Use a higher value for the lower boundary of
maxDelayTimesto account for block period.