-
Notifications
You must be signed in to change notification settings - Fork 2
XDZIBEC - Stale Data issue in Oracle Update and Consult Functions #92
Comments
1 comment(s) were left on this issue during the judging contest. auditsea commented:
|
1 comment(s) were left on this issue during the judging contest. auditsea commented:
|
This seems to be a duplicate of #13 |
The protocol team fixed this issue in PR/commit ubiquity/ubiquity-dollar#893. |
The Lead Senior Watson signed off on the fix. |
XDZIBEC
medium
Stale Data issue in Oracle Update and Consult Functions
Summary
see vulnerability details
Vulnerability Detail
the contract is serves as a TWAP oracle for a Curve MetaPool involving Dollar and 3CRV LP tokens.
and we have these functions :
- setPool is to Sets the Curve MetaPool for TWAP calculations.
- update toUpdates state variables based on the latest values from the MetaPool.
- consult is returns the price quote for a specified token.
the vulnerability is exists in both the
update
andconsult
functions, so the first function it's has Absence of a mechanism to ensure the oracle data is timely updated. and the consult function has no verification to ensure that the consulted data is fresh and not stale.Impact
Code Snippet
Tool used
Manual Review
Recommendation
-it's need a timestamp check in the update function to ensure that the oracle data is not stale as an example to fix it is to is to define a maximum time interval within which data must be updated and revert the transaction if the current timestamp exceeds this interval since the last update.
Duplicate of #34
The text was updated successfully, but these errors were encountered: