Potentially obtaining a stale price
Description
The comment of the function getOraclePrice
states, Reverts if the price data is older than 1 day
. The implementation checks whether the price is stale by comparing the sum of the updatedTimestamp
and the heartbeat with the current timestamp.
/**
* @dev Retrieves the latest price from the oracle
* @return price from the oracle
* @dev Reverts if the price data is older than 1 day
*/
function getOraclePrice(address quote, address base) public view returns(uint256) {
// [...]
if (updatedTimestamp + OracleFeeds(oracleFeeds).feedHeartbeats(feed) < block.timestamp) {
revert StalePrice();
}
// [...]
}
The heartbeat can be set arbitrarily through the function setPriceFeed
. There is no check to prevent the heartbeat from being too long.
function setPriceFeed(address tokenA, address tokenB, address priceFeed, uint256 heartbeat) external onlyRole(GOV_ROLE) {
priceFeeds[tokenA][tokenB] = priceFeed;
if (heartbeat == 0) {
heartbeat = 1 days;
}
feedHeartbeats[priceFeed] = heartbeat;
}
Impact
Users of the oracle may obtain stale prices that are more than one day old.
Recommendations
Consider adding a check in the function setPriceFeed
to ensure that the heartbeat is not greater than one day.
Remediation
Because heartbeats can only be set by the governance, Plaza Finance are confident that they are going to be within reasonable parameters. But Plaza Finance updated the comment to match the code.
This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit 20947533↗.