0x52 - chainlinkAdaptor uses the same heartbeat for both feeds which is highly dangerous #449
Comments
The contract are trying to get the latest price in here:https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#LL47C1-L47C1 And the heartbeat is trying to prevent chainlink stop updating. It is the same as chainlink's heartbeat. |
Escalate for 10 USDC
When validating prices for two different token pairs, two different heartbeats must be used. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Result: Sponsor comment:
|
Escalations have been resolved successfully! Escalation status:
|
Fix looks good. Contract now uses separate heartbeats for asset and USDC |
0x52
medium
chainlinkAdaptor uses the same heartbeat for both feeds which is highly dangerous
Summary
chainlinkAdaptor uses the same heartbeat for both feeds when checking if the data feed is fresh. The issue with this is that the USDC/USD oracle has a 24 hour heartbeat, whereas the average has a heartbeat of 1 hour. Since they use the same heartbeat the heartbeat needs to be slower of the two or else the contract would be nonfunctional most of the time. The issue is that it would allow the consumption of potentially very stale data from the non-USDC feed.
Vulnerability Detail
See summary
Impact
Either near constant downtime or insufficient staleness checks
Code Snippet
https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/adaptor/chainlinkAdaptor.sol#L43-L55
Tool used
Manual Review
Recommendation
Use two separate heartbeat periods
The text was updated successfully, but these errors were encountered: