search

sherlock-audit / 2024-05-midas-judging

13 stars 6 forks source link

4rdiii - Using a stale check period longer than the set heartbeat can lead to utilizing outdated prices even during market hours. #13

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

4rdiii

medium

Using a stale check period longer than the set heartbeat can lead to utilizing outdated prices even during market hours.

Summary

The DataFeed.sol contract configures the _HEALTHY_DIFF parameter for all Chainlink price feeds (including EUR/USD and IB01/USD) to 3 days. This configuration aims to bypass issues related to market closure days.

The Chainlink documentation advises caution when using Forex and UK_ETF feeds outside of their designated market hours, suggesting that these feeds should primarily be relied upon during active trading periods. However, it does not explicitly advise against adjusting the heartbeat interval to account for market closures. This guidance implies that while it's acceptable to use these feeds during market hours, care should be taken to ensure the data's freshness and relevance.

ChainLink Docs:

In addition to categories, be aware that markets for several assets are actively traded only during certain hours. Listed data feeds include an attribute describing their market hours. Chainlink Labs recommends using these feeds only during their specified hours

Vulnerability Detail

Within the DataFeed.sol contract, the _HEALTHY_DIFF parameter is set to 3 days for all Chainlink price feeds, including those for EUR/USD and IB01/USD. This setting is intended to accommodate market closure days by allowing the system to continue operating without interruption. 

contract DataFeed is WithMidasAccessControl, IDataFeed {
    using DecimalsCorrectionLibrary for uint256;

    /**
     * @notice AggregatorV3Interface contract address
     */
    AggregatorV3Interface public aggregator;

    /**
     * @dev healty difference between `block.timestamp` and `updatedAt` timestamps
     */
@>  uint256 private constant _HEALTHY_DIFF = 3 days
    .
    .
    .
}

Chainlink documentation indicates that while markets like UK_ETF operate from 8 AM to 4:30 PM UK time on weekdays, it does not guarantee updates outside these hours. However, it does not explicitly state that price feeds will not update at all during market closures; rather, they might simply report the last available price.

Impact

By configuring _HEALTHY_DIFF to 3 days, there's a risk of utilizing stale prices for the EUR/USD and IB01/USD price feeds, which typically update every 24 hours. This misconfiguration could lead to financial discrepancies and operational inefficiencies, particularly if the protocol relies on these feeds for critical functions such as pricing or valuation.

Code Snippet

GitHub Link

Tool used

Manual Review

Recommendation

To address this vulnerability, the protocol could adjust the _HEALTHY_DIFF parameter to 1 day. This change would reduce the likelihood of using stale prices while still accommodating typical market closure days.


    /**
     * @dev healty difference between `block.timestamp` and `updatedAt` timestamps
     */
-   uint256 private constant _HEALTHY_DIFF = 3 days
+   uint256 private constant _HEALTHY_DIFF = 1 days

Additionally, implementing a mechanism to pause contract functionalities during non-market hours could further enhance the protocol's resilience against using outdated price data. Custom error messages could be employed to notify users of these pauses, ensuring transparency and user understanding.

Duplicate of #110

WangSecurity commented 5 months ago

This report will be invalidated based on the escalation on #110.