15,000 USDC
View results
Submission Details
Severity: medium
Valid

Chainlink oracle will return the wrong price if the aggregator hits minAnswer

Summary

Chainlink oracle will return the wrong price if the aggregator hits minAnswer

Vulnerability Details

Impact

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band.
The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset.
This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded

In OracleLib.sol, staleCheckLatestRoundData() function,

File: src/libraries/OracleLib.sol
21 function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
22 public
23 view
24 returns (uint80, int256, uint256, uint256, uint80)
25 {
26 (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
27 priceFeed.latestRoundData();
28
29 uint256 secondsSince = block.timestamp - updatedAt;
30 if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();
31
32 return (roundId, answer, startedAt, updatedAt, answeredInRound);
33 }

Here, the function does not check the price acceptable range.

Tools Used

Manual Review

Recommendations

Consider using the following checks.

For example:

(uint80, int256 answer, uint, uint, uint80) = oracle.latestRoundData();
// minPrice check
require(answer > minPrice, "Min price exceeded");
// maxPrice check
require(answer < maxPrice, "Max price exceeded");

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.