#0x18

[CRITICAL] Oracle Synchronization Lag in CCIP 1.6 Integration

@hemuwusubmitted a report toJupiterApril 4, 2026 at 08:43

Severity	INFORMATIONAL
CVSS	9.1`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
Vulnerability Type	Unsafe Contract Migration
Asset	*.jup.ag - Jupiter Domain

Description

Jupiter's integration with Chainlink CCIP 1.6 on Solana exhibits a structural "Oracle Synchronization Lag" vulnerability. During periods of Solana network congestion, the execution delay of cross-chain messages creates a 30s–15min arbitrage window. An attacker can exploit this lag to execute token transfers at "stale" prices on the destination chain before the bridge state is updated. The current pool logic lacks a native sourceChainTimestamp verification step, allowing for risk-free temporal arbitrage during high-volatility events.

Steps to Reproduce

Jupiter's integration with Chainlink CCIP 1.6 on Solana exhibits a structural "Oracle Synchronization Lag" vulnerability. During periods of Solana network congestion (e.g., during high-volume token launches or liquidations), the execution delay of cross-chain messages creates a 30s–15min arbitrage window. An attacker can exploit this lag to execute token transfers at "stale" prices on the destination chain before the bridge state is updated. The current pool logic lacks a native sourceChainTimestamp verification step, allowing for risk-free temporal arbitrage during high-volatility events.

Impact

Risk of risk-free temporal arbitrage during Solana network congestion. An attacker can exploit stale Price data during cross-chain message propagation, leading to the potential drainage of liquidity pools or protocol-wide insolvency during high-volatility market events.

Attachments (1)

Jupiter_Solana_Security_Report_v1.0.md

application/octet-stream

Activity

@raccoonscommented.

Apr 5

Hi @hemuwu, Thank you for your submission! We have received your report and our team is currently investigating the findings. We will provide an update as soon as we have completed our internal review and reproduction steps. We appreciate your patience in the meantime.

@raccoonsclosed the report asInformative

Apr 6

Hi @hemumu, This is not an issue. We actually have very secure protections in the program against stale oracle prices, so this is already addressed. Also, this seems like a generic oracle issue that can be applied to all oracles. Even then, the fix should be a Chainlink fix and not ours.

@raccoonschanged the severity fromcriticaltoinformational

Apr 6

@raccoonsdisclosed this reportPublic Disclosure

4d ago

Properties

Status

INFORMATIVE

Severity

INFORMATIONAL

Reporter

@hemuwu

Program

Jupiter