A failure to handle a Chainlink revert could result in the locking of access to all price oracles.
Summary
This bug report is about a vulnerability found in the LiquidationPool.sol smart contract. The vulnerability could potentially lead to a permanent denial of service if the call to the latestRoundData function reverts.
Vulnerability Details
Invoking the latestRoundData function might lead to a potential revert, rendering the querying of prices unfeasible when distribute assets.
Impact
Chainlink's multisigs possess the ability to promptly obstruct access to price feeds as desired. Hence, as a precaution against denial of service situations, it is advisable to adopt a defensive strategy when querying Chainlink price feeds by employing Solidity’s try/catch structure. This approach ensures that if the price feed call encounters a failure, the calling contract retains control and can manage errors in a secure and explicit manner.
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L218
For further insights into potential risks and considerations when depending on external price feed providers, please consult the following resource:
https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles
Tools Used
Manual Review
Recommendations
Encase the invocation of latestRoundData() within a try/catch block instead of a direct call. In the event of a revert, the catch block becomes instrumental for triggering a fallback oracle or managing the error through an appropriate course of action.
Lead Judging Commences
oracle-revert-dos
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.