Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oracle begins in stale state due to uninitialized lastOracleUpdateTime #39

Open
CergyK opened this issue Dec 7, 2024 · 2 comments
Open

Oracle begins in stale state due to uninitialized lastOracleUpdateTime #39

CergyK opened this issue Dec 7, 2024 · 2 comments
Labels
Low/Info A Low/Info severity issue.

Comments

@CergyK
Copy link
Collaborator

CergyK commented Dec 7, 2024

Description

In the context of BinaryEligibilityOracleEarningPowerCalculator, lastOracleUpdateTime is used to determine if the oracle setting the scores for individual delegatees is stale. Unfortunately this value is not set in the constructor, meaning the oracle begins in the stale state. This means that a user can initialize many deposits which have max earning power right after calculator creation. Unless these deposits are bumped using requestedTip == 0, these deposits will be valid when rewards are first notified and will be eligible for rewards.

BinaryEligibilityOracleEarningPowerCalculator.sol#L109-L122:

constructor(
    address _owner,
    address _scoreOracle,
    uint256 _staleOracleWindow,
    address _oraclePauseGuardian,
    uint256 _delegateeScoreEligibilityThreshold,
    uint256 _updateEligibilityDelay
  ) Ownable(_owner) {
    _setScoreOracle(_scoreOracle);
    STALE_ORACLE_WINDOW = _staleOracleWindow;
    _setOraclePauseGuardian(_oraclePauseGuardian);
    _setDelegateeScoreEligibilityThreshold(_delegateeScoreEligibilityThreshold);
    _setUpdateEligibilityDelay(_updateEligibilityDelay);
    //@audit missing lastOracleUpdateTime initialization 
  }

Recommendation

Please consider initializing lastOracleUpdateTime, to avoid it being stale at the start:

BinaryEligibilityOracleEarningPowerCalculator.sol#L109-L122:

constructor(
    address _owner,
    address _scoreOracle,
    uint256 _staleOracleWindow,
    address _oraclePauseGuardian,
    uint256 _delegateeScoreEligibilityThreshold,
    uint256 _updateEligibilityDelay
  ) Ownable(_owner) {
    _setScoreOracle(_scoreOracle);
    STALE_ORACLE_WINDOW = _staleOracleWindow;
    _setOraclePauseGuardian(_oraclePauseGuardian);
    _setDelegateeScoreEligibilityThreshold(_delegateeScoreEligibilityThreshold);
    _setUpdateEligibilityDelay(_updateEligibilityDelay);
+   lastOracleUpdateTime = block.timestamp;
  }
@CergyK CergyK added the Low/Info A Low/Info severity issue. label Dec 7, 2024
@alexkeating alexkeating mentioned this issue Dec 11, 2024
Closed
4 tasks
@alexkeating
Copy link

Will fix

@CergyK
Copy link
Collaborator Author

CergyK commented Dec 16, 2024

Fixed by withtally/staker#89

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Low/Info A Low/Info severity issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexkeating @CergyK