fix(settlement): reject stale oracle prices with conservative fallback#43
Merged
elizabetheonoja-art merged 2 commits intoJun 25, 2026
Conversation
Utility-Protocol#7) finalize_settlement priced volume from the oracle without checking the feed's freshness. A stale feed lets an attacker accumulate under-priced settlements during the stale window. - constants: MAX_ORACLE_AGE=600 (compile-time bounded to [300,3600]), FALLBACK_RATE=50_000_000, MAX_STALENESS_TOLERANCE - rate_application: is_stale(), apply_rate_to_volume(), resolve_rate() (fresh price or conservative FALLBACK_RATE + StaleFbk event), and a strict get_fresh_rate() -> Result<i128, OracleStale> - lib.rs: extend PriceOracle interface with get_price() -> OraclePrice (mirrors price_oracle::PriceData incl. last_updated); add SettlementError::OracleStale; finalize_settlement uses resolve_rate so rate_used reflects the rate actually applied - conversion: take the resolved rate as a parameter - tests: fresh (under + boundary), stale->fallback, strict Result rejection, plus pure unit tests for is_stale/apply_rate_to_volume and the MAX_ORACLE_AGE bound Note: the real tariff oracle lives in utility_contracts, which does not compile (129+ pre-existing SDK-23 errors per COMPILATION_STATUS.md). The staleness control is implemented in the settlement crate where the rate is consumed (issue step 7) and the code builds/tests cleanly.
…s-settlement # Conflicts: # contracts/settlement/src/lib.rs # contracts/settlement/src/test.rs
elizabetheonoja-art
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(settlement): reject stale oracle prices with conservative fallback
Closes #7
constants.rsMAX_ORACLE_AGE = 600(epoch-seconds), compile-time enforced to be within[300, 3600]via aconst _: () = assert!(…).FALLBACK_RATE = 50_000_000(7-decimal fixed point),MAX_STALENESS_TOLERANCE.rate_application.rsis_stale(now, last_updated)— stale ⇔age > MAX_ORACLE_AGE(boundary age isfresh; saturating sub tolerates clock skew).
apply_rate_to_volume(volume, rate)— overflow-checkedvolume * rate / 1e7.resolve_rate(env, oracle)— fresh oracle price, else conservativeFALLBACK_RATEwith aStaleFbk(now, last_updated, fallback)event.get_fresh_rate(env, oracle) -> Result<i128, SettlementError>— strict,halt-on-stale variant (step 7: propagate a
Resultinstead of panicking).lib.rsPriceOraclecross-contract interface withget_price() -> OraclePrice, an XDR-compatible mirror ofprice_oracle::PriceData(incl.last_updated).SettlementError::OracleStale.finalize_settlementnow usesresolve_rate, sorate_usedreflects the rateactually applied (fresh price or fallback).
conversion.rs—convert_to_settlement_currencytakes the already-resolvedrateas a parameter (single source of truth; no double oracle fetch).Files
contracts/settlement/src/constants.rscontracts/settlement/src/rate_application.rscontracts/settlement/src/conversion.rscontracts/settlement/src/lib.rscontracts/settlement/src/test.rs