Last updated: February 06, 2026

SCWE-130: Admin-Write Oracle Without Delay

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-346: Origin Validation Error
  https://cwe.mitre.org/data/definitions/346.html

Description

Price feeds that allow an admin to push arbitrary values immediately (no delay or quorum) let insiders force liquidations, manipulate collateralization, or drain AMMs. Even trusted operators can be compromised.

Remediation

• Require multi-sig + timelock for manual price pushes; emit events for monitoring.
• Use decentralized oracles with aggregation/quorum instead of single-writer feeds.
• Enforce bounds/deviation checks against reference feeds and reject outliers.

Examples

Vulnerable

function setPrice(uint256 p) external onlyOwner {
    price = p; // immediate effect
}

Fixed

function queuePrice(uint256 p) external onlyGuardian {
    queued = Price({val:p, eta:block.timestamp + delay});
}
function execute() external {
    require(block.timestamp >= queued.eta, "too early");
    price = queued.val;
}