The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

PriceCalculator will return the wrong price for asset if the underlying aggregator hits minAnswer

y0ng0p3

Summary

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.

Vulnerability Details

clEurUsd.latestRoundData() pulls the associated aggregator and requests round data from it. Chainlink aggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minimum price, the protocol will continue to value the token at the minimum price instead of it's actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.

Impact

If an asset collapses, like the recent USDC depeg, the protocol can be manipulated to grant loans at an inflated guarantee price.

Tools Used

Manual review

Recommendations

PriceCalculator should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds:

File: contracts/utils/PriceCalculator.sol

function avgPrice(uint8 _hours, Chainlink.AggregatorV3Interface _priceFeed) private view returns (uint256) {

uint256 startPeriod = block.timestamp - _hours * 1 hours;

uint256 roundTS;

uint80 roundId;

int256 answer;

(roundId, answer,, roundTS,) = _priceFeed.latestRoundData();

+ if (answer <= minPrice) revert("lower price bound breached");

+ if (answer >= maxPrice) revert("upper price bound breached");

uint256 accummulatedRoundPrices = uint256(answer);

uint256 roundCount = 1;

while (roundTS > startPeriod && roundId > 1) {

roundId--;

try _priceFeed.getRoundData(roundId) {

(, answer,, roundTS,) = _priceFeed.getRoundData(roundId);

accummulatedRoundPrices += uint256(answer);

roundCount++;

} catch {

continue;

}

return accummulatedRoundPrices / roundCount;

}

function tokenToEurAvg(ITokenManager.Token memory _token, uint256 _tokenValue) external view returns (uint256) {

Chainlink.AggregatorV3Interface tokenUsdClFeed = Chainlink.AggregatorV3Interface(_token.clAddr);

uint256 scaledCollateral = _tokenValue * 10 ** getTokenScaleDiff(_token.symbol, _token.addr);

uint256 collateralUsd = scaledCollateral * avgPrice(4, tokenUsdClFeed);

(, int256 eurUsdPrice,,,) = clEurUsd.latestRoundData();

+ if (eurUsdPrice <= minPrice) revert("lower price bound breached");

+ if (eurUsdPrice >= maxPrice) revert("upper price bound breached");

return collateralUsd / uint256(eurUsdPrice);

}

function tokenToEur(ITokenManager.Token memory _token, uint256 _tokenValue) external view returns (uint256) {

Chainlink.AggregatorV3Interface tokenUsdClFeed = Chainlink.AggregatorV3Interface(_token.clAddr);

uint256 scaledCollateral = _tokenValue * 10 ** getTokenScaleDiff(_token.symbol, _token.addr);

(,int256 _tokenUsdPrice,,,) = tokenUsdClFeed.latestRoundData();

+ if (_tokenUsdPrice <= minPrice) revert("lower price bound breached");

+ if (_tokenUsdPrice >= maxPrice) revert("upper price bound breached");

uint256 collateralUsd = scaledCollateral * uint256(_tokenUsdPrice);

(, int256 eurUsdPrice,,,) = clEurUsd.latestRoundData();

+ if (eurUsdPrice <= minPrice) revert("lower price bound breached");

+ if (eurUsdPrice >= maxPrice) revert("upper price bound breached");

return collateralUsd / uint256(eurUsdPrice);

}

function eurToToken(ITokenManager.Token memory _token, uint256 _eurValue) external view returns (uint256) {

Chainlink.AggregatorV3Interface tokenUsdClFeed = Chainlink.AggregatorV3Interface(_token.clAddr);

+ uint256 minPrice = block.timestamp - THRESHOLD

(, int256 tokenUsdPrice,,,) = tokenUsdClFeed.latestRoundData();

+ if (tokenUsdPrice <= minPrice) revert("lower price bound breached");

+ if (tokenUsdPrice >= maxPrice) revert("upper price bound breached");

(, int256 eurUsdPrice,,,) = clEurUsd.latestRoundData();

+ if (eurUsdPrice <= minPrice) revert("lower price bound breached");

+ if (eurUsdPrice >= maxPrice) revert("upper price bound breached");

return _eurValue * uint256(eurUsdPrice) / uint256(tokenUsdPrice) / 10 ** getTokenScaleDiff(_token.symbol, _token.addr);

}

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

chainlink-minanswer

ljj Auditor

over 1 year ago

ubl4nk Auditor

over 1 year ago

Wish Auditor

over 1 year ago

dimulski Auditor

over 1 year ago

00xSEV Auditor

over 1 year ago

oxtenma Auditor

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

chainlink-minanswer

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.