Delaying block production or influencing the timing of price updates can lead to incorrect price feeds that attackers use to profit
Game
You’ve come across a contract that relies on an oracle to provide time-sensitive price data. It assumes the oracle always provides up-to-date information.
But what if the oracle provides stale or outdated prices? Can you trust its time logs?
// SPDX-License-Identifier: MIT// Open me in VSCode and really think before opening the hints!// Add @audit tags wherever suspicious// Go to the solidity docs to complete missing knowledge of what's happening here// Solve by drafting a fix!pragmasolidity ^0.8.0;interface IPriceOracle {functiongetPrice() externalviewreturns (uint256);functiongetLastUpdatedTime() externalviewreturns (uint256);}contract TimeLogsGame { IPriceOracle public oracle;uint256public totalValue;constructor(address_oracle,uint256_initialValue) { oracle =IPriceOracle(_oracle); totalValue = _initialValue; }// Update total value based on oracle pricefunctionupdateValue() public {uint256 price = oracle.getPrice();uint256 lastUpdated = oracle.getLastUpdatedTime();require(price >0,"Invalid price");require(lastUpdated >0,"Invalid timestamp"); totalValue = totalValue * price /1e18; // Adjust value based on price }}
What happens if the oracle’s lastUpdated timestamp is far in the past? How could this affect the validity of the price?
Consider enforcing stricter rules around the freshness of oracle data to ensure calculations are based on recent information.
uint256publicconstant MAX_DELAY =1hours; // Fix: Define maximum allowed delayfunctionupdateValue() public {uint256 price = oracle.getPrice();uint256 lastUpdated = oracle.getLastUpdatedTime();require(price >0,"Invalid price");require(lastUpdated >0,"Invalid timestamp");require(block.timestamp - lastUpdated <= MAX_DELAY,"Price data too old"); // Fix: Enforce freshness totalValue = totalValue * price /1e18;}