Skip to content
This repository has been archived by the owner on Oct 20, 2024. It is now read-only.

boredpukar - Misalignment in Expected and Actual Oracle Update Frequency Leading to Frequent Reverts #23

Closed
github-actions bot opened this issue Apr 22, 2024 · 0 comments
Closed

boredpukar - Misalignment in Expected and Actual Oracle Update Frequency Leading to Frequent Reverts #23

github-actions bot opened this issue Apr 22, 2024 · 0 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@github-actions
Copy link

github-actions bot commented Apr 22, 2024
edited by sherlock-admin4
Loading

boredpukar

high

Misalignment in Expected and Actual Oracle Update Frequency Leading to Frequent Reverts

Summary

The misalignment between the expected update frequency hardcoded into the smart contract and the actual update frequency provided by Chainlink oracles can lead to several critical issues, such as frequent transactions revert.

Vulnerability Detail

The getExpectedExchange function calculates expected exchange rates based on the latest round data from Chainlink oracles. It incorrectly assumes that the update frequency is uniform across different networks (like Arbitrum and Optimism). This assumption can lead to logical errors in environments where the actual update frequency is significantly longer, as seen on the Arbitrum network.

In the Optimism network, the heartbeat of OP/USD and ETH/USD pair is set to 1200 seconds. Reference.

However, in Arbitrum network, the heartbeat of OP/USD and ETH/USD pair is set to 86400 seconds. Reference.

Impact

Imagine a scenario where a user attempts to use the getExpectedExchange function on the Arbitrum network:

  • The Chainlink oracle updates the OP/USD and ETH/USD every 86400 seconds.
  • The user calls the function shortly after an update, and then again 1300 seconds later.
  • The second call will fail because the update time check (1200 seconds) is exceeded, even though the oracle data is still relatively fresh by the oracle's standards.

Code Snippet

https://github.com/sherlock-audit/2024-04-alchemix/blob/main/v2-foundry/src/utils/collectors/OptimismRewardCollector.sol#L110
https://github.com/sherlock-audit/2024-04-alchemix/blob/main/v2-foundry/src/utils/collectors/OptimismRewardCollector.sol#L128

      if( updateTime < block.timestamp - 1200 seconds ) {
            revert("Chainlink Malfunction");
        }

     if( updateTimeEth < block.timestamp - 1200 seconds ) {
            revert("Chainlink Malfunction");
        }

Tool used

Manual Review

Recommendation

The smart contract needs more flexible and network-aware handling of oracle data freshness. For this, it can implement network-specific parameters for oracle freshness checks. These could be set during the deployment or through a configuration function that can adjust the freshness threshold based on the network.

Duplicate of #14
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Apr 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Decent Mulberry Poodle - Misalignment in Expected and Actual Oracle Update Frequency Leading to Frequent Reverts boredpukar - Misalignment in Expected and Actual Oracle Update Frequency Leading to Frequent Reverts Apr 30, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Apr 30, 2024
@WangSecurity WangSecurity added Excluded Excluded by the judge without consulting the protocol or the senior and removed High A valid High severity issue labels May 14, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WangSecurity @sherlock-admin2 @sherlock-admin4