Summary

If one of the oracles for collateral tokens is down, liquidating a user will not be possible even if the user does not have collateral of the token which oracle is down.

Vulnerability Details

In getAccountCollateralValue, a function that is used when liquidating users, the oracle of each token from s_collateralTokens is called. This means that if the oracle of one of these tokens is down, liquidating a user will not be possible even if this user does not have any collateral of the token whose oracle is down.

Impact

If one of the oracles is down, no user can be liquidated, not even the users that do not have this token as collateral. This can result in DSC being undercollateralized if other tokens than the one whose oracle is down lose value rapidly.

Tools Used

Manual review

Recommendations

Implement a check if the amount of the token that the user has as collateral is 0. If so, skip calling getUsdValue for this token and thereby skip calling its oracle. This way at least the users that do not have this token as collateral can be liquidated. An other solution would be to integrate a backup oracle (i.e. UniV3 TWAP)that is called if the chainlink oracle is down.