Chainlink Related Issues
Summary
The function distributeAssets uses Chainlink oracle to get the prices of assets. It misses some sanity checks that can return stale/invalid prices.
Vulnerability Details
Not checking for stale prices. Oracle data feeds can return stale pricing data . If the returned pricing data is stale, this code will execute with prices that don’t reflect the current pricing resulting in a potential loss of funds for the user and/or the protocol. Smart contracts should always check the
updatedAtparameter returned fromlatestRoundData()and compare it to a staleness threshold.
Use the following:
Not Checking For Down L2 Sequencer. When using Chainlink with L2 chains like Arbitrum, smart contracts must check whether the L2 Sequencer is down to avoid stale pricing data that appears fresh - Chainlink’s official documentation provides an example implementation.
The function will use the wrong price if Chainlink returns a price outside the minimum/maximum range. Chainlink aggregators have a built-in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow users to continue using the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded - https://rekt.news/venus-blizz-rekt/
Use the following to mitigate:
Impact
The impact of the issues has already been detailed above in the Vulnerability Section.
Tools Used
Manual review
Recommendations
The mitigations have been mentioned above for reference.
Lead Judging Commences
Chainlink-price
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.