[M] Deprecated Chainlink feeds will result in incorrect price calculation
Summary
It seems that what happens is that Chainlink
sets the aggregator address to the zero address, once Deprecated, which makes the call to latestRoundData()
to revert without any data (I guess this is due to the way Solidity handles calls to a non-contract address).
Vulnerability Details
here are several calls to both latestRoundData and getRoundData data in the codebase.
This includes in the PriceCalculator.
function avgPrice(uint8 _hours, Chainlink.AggregatorV3Interface _priceFeed)
This function calculates the average price over a certain period by repeatedly calling _priceFeed.getRoundData(roundId).
If the oracle becomes deprecated and returns the zero address, the call to latestRoundData()
and subsequent getRoundData(roundId) within the while loop would fail.
This failure would prevent the calculation of the average price.
function tokenToEurAvg(ITokenManager.Token memory _token, uint256 _tokenValue)
This function uses avgPrice to convert token values to Euro averages.
If avgPrice fails due to oracle issues, this conversion process will be disrupted.
function tokenToEur(ITokenManager.Token memory _token, uint256 _tokenValue)
function eurToToken(ITokenManager.Token memory _token, uint256 _eurValue)
Both functions call latestRoundData() on Chainlink oracle feeds.
If the oracle feed is deprecated, these functions would fail to retrieve the latest data,
leading to inaccurate or failed conversions.
And in LiquidationPool.
function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC)
This function uses latestRoundData() from two different Chainlink oracle feeds
(one for EUR/USD and another for the specific asset being distributed).
If any of these oracles become deprecated, the function cannot accurately calculate and distribute assets,
leading to potential issues in liquidation and rewards distribution.
Impact
Inaccurate price calculations
Tools Used
Manual Review
Recommendations
Implement a circuit breaker that pauses liquidations or other critical functions when an oracle
feed is found to be unreliable or deprecated.
This adds a layer of security, preventing erroneous liquidations based on incorrect price data
Lead Judging Commences
chainlink-revert
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.