Core protocol functions stop working or have limited functionality when access to Chainlink price oracles are blocked
Summary
When access to Chainlink oracles are blocked, some core functions of the protocol including being able to create shorts with createLimitShort, exiting shorts with exitShort, and executing primary liquidations with liquidate stop working completely or have limited functionality.
Vulnerability Details
The protocol uses Chainlink to fetch prices. It also uses a TWAP fallback if the Chainlink data is invalid. The Chainlink multisig can restrict access to fetching prices from their data price feeds. This is explicitly mentioned here and seen in Chainlink's code. When this call fails, it leads to a Denial-Of-Service (DOS) as the call will revert and the protocol does not handle failed Chainlink calls. Thus activities like: creating shorts with createLimitShort, exiting shorts with exitShort, and executing primary liquidations with liquidate stop working completely or have a limited functionality.
Impact
Users cannot perform activities like exiting shorts and executing liquidations.
Tools Used
Vscode
Recommendations
Use a try...catch expression to handle failed calls to the Chainlink oracle. The TWAP fallback should be used to fetch the price if the Chainlink call fails.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.