DittoETH

Summary

When querying the oracle price, for assets others than USD, there is no check for high deviation from the previous price.

Vulnerability Details

In LibOracle.sol:getOraclePrice(), when asset is USD, there is a call to internal function baseOracleCircuitBreaker() that checks for the validity of the Chainlink oracle price. For the rest of the assets, the function oracleCircuitBreaker() is called instead.

However, while baseOracleCircuitBreaker() checks for deviation from the previous price, oracleCircuitBreaker() does not.

What is more, given that the asset/ETH price is calculated using both the asset/USD and ETH/USD prices, a high deviation in either of the two prices will result in a high deviation in the asset/ETH price.

From Chainlink documentation:

The data feed aggregator includes both minAnswer and maxAnswer values. On most data feeds, these values are no longer used and they do not stop your application from reading the most recent answer. For monitoring purposes, you must decide what limits are acceptable for your application.

Configure your application to detect when the reported answer is close to reaching reasonable minimum and maximum limits so it can alert you to potential market events. Separately, configure your application to detect and respond to extreme price volatility or prices that are outside of your acceptable limits.

Impact

The in correct asset price can be used, which can lead to many problems, including users being required to deposit more/less collateral than expected or being liquidated when they shouldn't be.

Tools Used

Manual review.

Recommendations

Implement a check for price deviation in baseOracleCircuitBreaker().