ChainlinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer
Summary
Chainlink aggregators have a built-in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the asset's actual price. This would allow users to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.
Vulnerability Details
The LiquidationPool uses Chainlink.AggregatorV3Interface.latestRoundData() function.
ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minPrice, the protocol will continue to value the token at minPrice instead of its actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.
Example: TokenA has a minPrice of 1USD. The price of TokenA drops to 0.10. The aggregator still returns 1 allowing the user to borrow against TokenA as if it is 1$ which is 10x its actual value.
Impact
If an asset crashes (i.e. LUNA) the protocol can be manipulated to give out loans at an inflated price.
Tools Used
Manual review
Recommendations
Consider using the following checks:
Lead Judging Commences
chainlink-minanswer
chainlink-minanswer
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.