Description

The comment of the function getOraclePrice states, Reverts if the price data is older than 1 day. The implementation checks whether the price is stale by comparing the sum of the updatedTimestamp and the heartbeat with the current timestamp.

/**
 * @dev Retrieves the latest price from the oracle
 * @return price from the oracle
 * @dev Reverts if the price data is older than 1 day
 */
function getOraclePrice(address quote, address base) public view returns(uint256) {
  // [...]
  if (updatedTimestamp + OracleFeeds(oracleFeeds).feedHeartbeats(feed) < block.timestamp) {
    revert StalePrice();
  }
  // [...]
}

The heartbeat can be set arbitrarily through the function setPriceFeed. There is no check to prevent the heartbeat from being too long.

function setPriceFeed(address tokenA, address tokenB, address priceFeed, uint256 heartbeat) external onlyRole(GOV_ROLE) {
    priceFeeds[tokenA][tokenB] = priceFeed;

    if (heartbeat == 0) {
      heartbeat = 1 days;
    }

    feedHeartbeats[priceFeed] = heartbeat;
}

Impact

Users of the oracle may obtain stale prices that are more than one day old.

Recommendations

Consider adding a check in the function setPriceFeed to ensure that the heartbeat is not greater than one day.

Remediation

Because heartbeats can only be set by the governance, Plaza Finance are confident that they are going to be within reasonable parameters. But Plaza Finance updated the comment to match the code.

This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit 20947533↗.