Fixed price never expires

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracle.sol#L64

Vulnerability details

Impact

Once a fixed price has been set by owner, it never expires until owner explicitly sets it to 0. This could be risky where contract might be working with an obsolete price, if Owner failed to update price timely

Proof of Concept

1. Owner sets fixed price P1 for fToken F using setPrice function

function setPrice(address fToken, uint256 price) external override onlyOwner {
    uint256 oldPrice = fTokenToUnderlyingPrice[fToken];
    fTokenToUnderlyingPrice[fToken] = price;
    emit UnderlyingPriceSet(fToken, oldPrice, price);
  }

2. After X days, if the getUnderlyingPrice is retrieved then price P1 will be returned for fToken F. This shows that fixed price which was set X days ago still works and never expires

function getUnderlyingPrice(
    address fToken
  ) external view override returns (uint256) {
    if (fTokenToUnderlyingPrice[fToken] != 0) {
      return fTokenToUnderlyingPrice[fToken];
    } else {
      ...
    }
  }

Recommended Mitigation Steps

Fixed price must expire after x seconds of addition. This will prevent contract from using obsolete prices

[c4-judge]

trust1995 changed the severity to QA (Quality Assurance)

[c4-judge]

trust1995 marked the issue as grade-b

[c4-sponsor]

tom2o17 marked the issue as sponsor acknowledged

[tom2o17]

Not super concerned with having the price expire. This manual setting of the oracle price is really only intended to be used wrt to CASH token