Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

000000 - The Redstone oracle can report stale prices #290

Closed
sherlock-admin3 opened this issue Aug 24, 2024 · 6 comments
Closed

000000 - The Redstone oracle can report stale prices #290

sherlock-admin3 opened this issue Aug 24, 2024 · 6 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Aug 24, 2024
edited by sherlock-admin4
Loading

000000

Medium

The Redstone oracle can report stale prices

Summary

The Redstone oracle can report stale prices

Vulnerability Detail

The Redstone oracle has a hard coded stale price threshold:

uint256 public constant STALE_PRICE_THRESHOLD = 3600;

The issue with that is that quite a few price feeds have a lower heartbeat than an hour. Especially on the BSC network which an EVM-compatible chain which as mentioned in the README, would be used, we can see that there are price feeds with a heartbeat of just a minute (https://docs.redstone.finance/docs/get-started/price-feeds).

Impact

The Redstone oracle can report stale prices

Code Snippet

https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/25a0c8aeaddec273c5318540059165696591ecfb/protocol-v2/src/oracle/RedstoneOracle.sol#L19

Tool used

Manual Review

Recommendation

Each price feed must have its own heartbeat

Duplicate of #126
@github-actions github-actions bot closed this as completed Sep 5, 2024
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Sep 5, 2024
@z3s z3s removed the Medium A Medium severity issue. label Sep 15, 2024
@sherlock-admin4 sherlock-admin4 changed the title Attractive Caramel Fox - The Redstone oracle can report stale prices 000000 - The Redstone oracle can report stale prices Sep 15, 2024
@sherlock-admin4 sherlock-admin4 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 15, 2024
@samuraii77
Copy link

I will escalate later based on this comment as I am eligible to do so but for some reason, it does not let me escalate.

The issue should be valid and was invalidated as each asset has its own oracle and this can be changed. There is a question to the protocol in the README about this very scenario:

Q: Are there any hardcoded values that you intend to change before (some) deployments?
The following immutable might be modified before certain deployments: Timelock Duration Timelock Deadline MAX_QUEUE_LENGTH Max Position Assets Max Position Debt Pools

That value is clearly not included, thus we can not just assume that it will be changed. Issue should be a valid medium.

@AtanasDimulski
Copy link

Escalate,
Per the above comment

@sherlock-admin3
Copy link
Author

Escalate,
Per the above comment

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label Sep 16, 2024
@cvetanovv
Copy link
Collaborator

I will reject the escalation because it is the same as the main issue. The escalation there will decide if #126 and its duplicates will be valid.

This comment will be taken into consideration when making the decision - #290 (comment)

Planning to reject the escalation.

@Evert0x
Copy link

Evert0x commented Sep 22, 2024
edited
Loading

Result:
Invalid
Duplicate of #126

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 22, 2024
edited
Loading

Escalations have been resolved successfully!

Escalation status:

@sherlock-admin3 sherlock-admin3 removed the Escalated This issue contains a pending escalation label Sep 22, 2024
@sherlock-admin4 sherlock-admin4 added the Escalation Resolved This issue's escalations have been approved/rejected label Sep 22, 2024
@cvetanovv cvetanovv added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue Medium A Medium severity issue. and removed Non-Reward This issue will not receive a payout labels Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@cvetanovv @Evert0x @AtanasDimulski @z3s @sherlock-admin2 @sherlock-admin3 @sherlock-admin4 @samuraii77