Closed sherlock-admin2 closed 7 months ago
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
This issue describes about retreiving zero index by default when collateralAddress is unknown, but the function is called by admin so no need to be considered
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
auditsea commented:
This issue describes about retreiving zero index by default when collateralAddress is unknown, but the function is called by admin so no need to be considered
evmboi32
high
The same (incorrect)
heartbeatis used for multiple price feeds.Summary
The same (incorrect)
heartbeatis used for multiple price feeds.Vulnerability Detail
The
collateralPriceFeedStalenessThresholdsis set to 24 hours for every collateral by default.The problem is that different pairs have different
heartbeats. For example, theLUSD/USDprice should be stale after not being updated for3600s, but since the heartbeat is set to24 hoursit will consider a price valid even if it wasn't updated for up to 24 hours which is incorrect.Impact
Using the same heartbeat for all price feeds is not correct because the freshness validation would be useless for some pairs which can return stale data.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L679
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L546-L552
Tool used
Manual Review
Recommendation
Use the
heartbeatvalues from the officialchainlink docsfor each price feed separately https://docs.chain.link/data-feeds/price-feeds/addresses?network=ethereum&page=1&search=lusdDuplicate of #130