Chainlink aggregators return the incorrect price if it drops below `minAnswer`
Summary
Chainlink aggregators have a built in circuit breaker if the price of an asset
goes outside of a predetermined price band. The result is that if an asset
experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will
continue to return the minAnswer instead of the actual price of the asset.
Vulnerability Details
Chainlink's latestRoundData pulls the associated aggregator and requests round
data from it. ChainlinkAggregators have minAnswer and maxAnswer circuit
breakers built into them. This means that if the price of the asset drops below
the minAnswer, the protocol will continue to value the token at minAnswer
instead of it's actual value. This will allow users to exploit certain parts of
the protocol.
Impact
This discrepency could cause major issues within the protocol and potentially
lead to loss of funds. This is exactly what happened to
Venus on BSC when LUNA imploded.
Tools Used
Manual review
Recommendations
Add a check to revert if the price received from the oracle is
out of bounds, as is recommended in Chainlink's documentation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.