Setting maxDelayTimes for a token at the lowest possible value would DOS the protocol
Vulnerability Detail
Every oracle checks the price fetched is fresh: that is, that it was received within a set maxDelayTimes
The issue is that maxDelay can be set as low as 10.
As the block period on Ethereum is 12, this means such a value would cause all the getPrice functions to revert - unless the function call happens in the same block as the oracle price update.
Impact
The getPrice function reverting would lead to IchiVaultSpell._validateMaxLTV() reverting, making it impossible to open positions.
joestakey
medium
lower
maxDelay
boundary would DOS the protocolSummary
Setting
maxDelayTimes
for a token at the lowest possible value would DOS the protocolVulnerability Detail
Every oracle checks the price fetched is fresh: that is, that it was received within a set
maxDelayTimes
The issue is that
maxDelay
can be set as low as10
.As the block period on Ethereum is
12
, this means such a value would cause all thegetPrice
functions to revert - unless the function call happens in the same block as the oracle price update.Impact
The
getPrice
function reverting would lead toIchiVaultSpell._validateMaxLTV()
reverting, making it impossible to open positions.Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/BaseAdapter.sol#L24
Tool used
Manual Review
Recommendation
Use a higher value for the lower boundary of
maxDelayTimes
to account for block period.