defirisk.co
rubric v1.7.0

Oracle staleness check present

Usual (USD0 / bUSD0 / USUAL)'s assessment for RD-F-059 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Oracle staleness check is MISSING from live price reads. Two Sherlock audit findings confirm: (1) Oct 2024 Sherlock audit 2024-10-usual-labs-v1-judging Issue #8: USYC oracle latestRoundData called without checking updatedAt for staleness; (2) Feb 2025 Sherlock audit 2025-02-usual-labs-judging Issue #106: UsualOracle#_latestRoundData() lacks staleness verification — 'the timeout is not stored and the _latestRoundData() function lacks this verification, potentially leading to return of stale values.' The initializeTokenOracle timeout parameter is checked ONCE at initialization only, per tech docs: 'this check is only performed once.' Live oracle reads proceed without staleness validation. A stale USYC price could enable profitable arbitrage draining protocol (Feb 2025 finding estimated ~98,900 USD profit from single stale-price exploit).

Sources #

  • Docs
    ClassicalOracle | Usual Tech Docstech.usual.money ClassicalOracle: 'the new price feed must have been last updated within the last timeout seconds, and this check is only performed once' — confirms runtime staleness check is absentretrieved 2026-05-17

Methodology #

Determine whether the protocol rejects oracle reads older than a declared maximum age (i.e., checks `updatedAt > block.timestamp - maxStaleness`).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usual factor RD-F-059 score red collected_at 2026-05-16 20:39:44