The Standard

Summary

Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the event of a significant price drop, which will lead to assets distributed unfairly.

Vulnerability Details

In LiquidationPoolV3#distributeAssets() function, price is fetched and used to calculate % asset received:

                if (asset.amount > 0) {
                    (,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
                    uint256 _portion = asset.amount * _positionStake / stakeTotal;
                    uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
                        * _hundredPC / _collateralRate;
                    if (costInEuros > _position.EUROs) {
                        _portion = _portion * _position.EUROs / costInEuros;
                        costInEuros = _position.EUROs;
                    }

ChainlinkFeedRegistry#latestRoundData extracts the linked aggregator and requests round data from it. If an asset's price falls below the minPrice, the protocol continues to value the token at the minPrice rather than its real value. If price is below minPrice, costInEuros will be over calculated and user are forced to buy token with higher value, which is a loss for holders. Massive price drop can happen with WBTC, as it is bridge. When the bridge is exploited, price of WBTC will be dropped massively

Impact

Holders will receive less token than they should have in worst scenario.

Tools Used

Manual review.

Recommendations

Using other off-chain oracle providers, or using Uniswap's TWAP when chainlink failed to get price when the price is below minPrice.