M-3 Chainlink could potentially revert and lead to DoS
Summary
Call to latestRoundData in LiquidationPool.distributeAsset() could potentially revert and make it impossible to query any prices. Feeds cannot be changed after they are configured in the constructor https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L34.
Vulnerability Details
Chainlink can block access to price feeds at any will. If the call to the price feed fails the LiquidationPool.distributeAsset() whether on L207 (https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L207) or L218 (https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L218) will revert and making it impossible to distribute the assets.
Impact
Potential revert could lead to DoS because eurUsd feed cannot be changed since it is only initialised once in the constructor. I consider it as a Medium.
Tools Used
Manual review
Recommendations
Surround the call to latestRoundData() with try/catch instead of calling it directly. The catch block can be used to call a fallback oracle or handle the error. Refer to https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles
Lead Judging Commences
oracle-revert-dos
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.