The Integration of Price Feed is not correct and vulnerable to stale price
Summary
The Protocol assume that the IB01/USD price feed will not get updated at weekends due to which they have used 3 days timeout for stale price but in reality it is not, Due to this large timeout the Price feed is vulnerable to stale price conversion.
Vulnerability Detail
Quoting this from Readme:
Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED? If these integrations are trusted, should auditors also assume they are always responsive, for example, are oracles trusted to provide non-stale information, or VRF providers to respond within a designated timeframe?
IB01/USD Price from Chainlink is RESTRICTED, as their documentation states that the price will only be updated during defined market hours (weekends and holidays excluded), so we assume the price is only stale if more than three days have passed.
According to Chainlink docs the Oracle will update it price in following cases
Name
Description
Deviation Threshold
Chainlink nodes are monitoring data offchain. The deviation of the real-world data beyond a certain interval triggers all the nodes to update.
Heartbeat Threshold
If the data values stay within the deviation parameters, it will only trigger an update every X minutes / hours.
The Heart Beat for IB01/USD Price Feed is not 3 days it is 86400s .You can check it from here.
From above two point it is clear that the Price Feed will update after every 86400s , So The Protocol assumes that it will not update from Friday to Sunday which is wrong.
The ChainLink recommendation is that the Price may not be correct during off time of a market but they will update it after every 86400s. the correct time to check for stale price is 86400s not 3 days.
For Proof that it also update the Price Feed during weekends. Pass 18446744073709551980 to getRoundData function of AggregatorV3Interface the time at which the Price Feed was update is 1716106835 in Unix time stamp and Sun May 19 2024 08:20:35 GMT+0000 in GMT time zone.
uint256 private constant _HEALTHY_DIFF = 3 days;
Impact
This _getDataInBase18() will not revert if price is stale. which will result in wrong calculation for conversion.
aman
medium
The Integration of Price Feed is not correct and vulnerable to stale price
Summary
The Protocol assume that the IB01/USD price feed will not get updated at weekends due to which they have used
3 days
timeout for stale price but in reality it is not, Due to this large timeout the Price feed is vulnerable to stale price conversion.Vulnerability Detail
Quoting this from Readme:
Have look here
IB01/USD
Price Feed is not3 days
it is86400s
.You can check it from here. From above two point it is clear that the Price Feed will update after every86400s
, SoThe Protocol assumes that it will not update from Friday to Sunday
which is wrong. The ChainLink recommendation is that the Price may not be correct during off time of a market but they will update it after every86400s
. the correct time to check for stale price is86400s
not3 days
.For Proof that it also update the Price Feed during weekends. Pass
18446744073709551980
togetRoundData
function ofAggregatorV3Interface
the time at which the Price Feed was update is1716106835
in Unix time stamp andSun May 19 2024 08:20:35 GMT+0000
in GMT time zone.Impact
This
_getDataInBase18()
will not revert if price is stale. which will result in wrong calculation for conversion.Code Snippet
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L64-L80
Tool used
Manual Review
Recommendation
Change
_HEALTHY_DIFF
from3 days
to86400s
Duplicate of #110