15,000 USDC
View results
Submission Details
Severity: medium
Valid

Chainlink Oracle will return the wrong price for asset if underlying aggregator hits minAnswer

Summary

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.

Vulnerability Details

OracleLib.sol uses the ChainlinkFeedRegistry to obtain the price of the requested tokens.

The protocol intends to work with all USD denominated pairs.

ChainlinkFeedRegistry#latestRoundData pulls the associated aggregator and requests round data from it. ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minPrice, the protocol will continue to value the token at minPrice instead of it's actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.

Example: TokenA has a minPrice of $1. The price of TokenA drops to $0.10. The aggregator still returns $1 allowing the user to borrow against TokenA as if it is $1 which is 10x it's actual value.

There are a lot of USD denominated pairs in many different chains, so there is a large possibility that a USD pair can crash like LUNA did.

Impact

In the event that an asset crashes (i.e. LUNA) the protocol can be manipulated to give out loans at an inflated price. For example, token A has crashed from $1 to 10 cents but the aggregator still returns about 0.90 cents. Users can exploit this by buying a lot of cheap token A, eg buying 10000 token A at $1000, deposit the 10000 tokens into the protocol (the protocol will think it's worth $9000), mint $4500 worth of DSC stablecoin (200% collateralization ratio) and profit $3500 because of the oracle error.

Tools Used

Manual Review

Recommendations

ChainlinkAdapterOracle should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds:

function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
public
view
returns (uint80, int256, uint256, uint256, uint80)
{
(uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
priceFeed.latestRoundData();
uint256 secondsSince = block.timestamp - updatedAt;
if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
+ if (answer >= maxPrice or answer <= minPrice) revert();
return (roundId, answer, startedAt, updatedAt, answeredInRound);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.