DataFeed uses insecure period of freshness

Summary

The solution uses Chainlink's data feed to evaluate the price of EUR/USD and IB01/USD. However, there is a false assumption that price can be fresh for 3 days, whereas the heartbeat for these two feeds is set to 86400s, which is 1 day.

Vulnerability Detail

The protocol owner states that:

IB01/USD Price from Chainlink is RESTRICTED, as their documentation states that the price will only be updated during defined market hours (weekends and holidays excluded), so we assume the price is only stale if more than three days have passed.

However, this assumption is incorrect. The Chainlink's data feed for EUR/USD and IB01/USD has heartbeat set to 86400s, which is 1 day.

EUR/USD, 0xb49f677943bc038e9857d61e7d053caa2c1734c1

The fact that the price is not changed over weekends does not impact the fact that data feed can be still updated with the same value during that time, providing fresh, not stale price.

The protocol owner assumption may lead to the situation when e.g. on Monday the data feed will be corrupted, and the price will be not updated until end of the week, including Tuesday and Wednesday, when provided price will be invalid.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L27

    uint256 private constant _HEALTHY_DIFF = 3 days;

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L75

        require(
            // solhint-disable-next-line not-rely-on-time
            block.timestamp - updatedAt <= _HEALTHY_DIFF,
            "DF: feed is unhealthy"
        );

Tool used

Manual Review

Recommendation

It is recommended to adjust validation of the data feed freshness to the the particular feed's heartbeat.

Duplicate of #110

sherlock-audit / 2024-05-midas-judging

cocacola - DataFeed uses insecure period of freshness #10