The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

If asset price falls below minPrice or goes above maxPrice, then wrong price will be used

haxatron

Summary

If asset price falls below minPrice or goes above maxPrice, then wrong price will be used

Vulnerability Details

When distributing assets, the LP uses the Chainlink price aggregator here - https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L218. However, Chainlink aggregators have a built-in circuit breaker if the price of an asset goes outside of a predetermined price band. When this occurs, the asset price obtained will be incorrect and the incorrect number of EUROs will be burned from the LP pool leading to possible depegging

Impact

It is possible that incorrect number of EUROs will be burned from the LP pool leading to possible depegging.

Tools Used

Manual Review

Recommendations

Check whether the answer obtained from the latestRoundData is within minPrice and maxPrice in latestRoundData.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

chainlink-minanswer

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

chainlink-minanswer

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.