Tart Vinyl Octopus - TokenOracle.timout is not updated in UsualOracle when initializeTokenOracle is called

[sherlock-admin4]

Tart Vinyl Octopus

Medium

TokenOracle.timout is not updated in UsualOracle when initializeTokenOracle is called

Summary

TokenOracle.timout variable is used in checking if the price provided by price feed is recent enough for our case.
In our case we are not updating in when initializing token oracle, this means we won't be able to compare latestPrice's last updated timestamp with this timout variable, to see if price is recent enough.

Root Cause

TokenOracle.timout is not updated in UsualOracle::initializeTokenOracle when we are adding support for a new token.

Internal Pre-conditions

1. Admin calls UsualOracle::initializeTokenOracle to add support for new token which may or may not be a stablecoin.

External Pre-conditions

1. The oracle for our initalized token returns stale price.

Attack Path

1. UsualOracle::getPrice function is called to get the latest price

Impact

UsualOracle's consumers will call getPrice function thinking they will get latestPrice but there will a possiblility of getting stale price.

PoC

Textual Poc with 2 steps:

1. Admin calls initializeTokenOracle to initialize oracle for a token, timout param is provided by the admin but it is not updated.

2. getPrice function is called for a token initialized in the first step and this price can be stale as we have not implemented a check for its staleness due to timout variable not being updated.

Mitigation

Add the folloing at the end of initializeTokenOracle function

    $.tokenToOracleInfo[token].timeout = timeout;