Chainlink oracle will return the wrong price if the aggregator hits minAnswer
Summary
Chainlink aggregators have a built-in circuit breaker if the price of an asset goes outside of a predetermined price band.
The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset and vice versa.
Vulnerability Details
No checks are done to prevent this behaviour which means if a huge drop in value happens costInEuros will be less than expected (because we are dividing and the answer from Chainlink will be higher than the actual value) resulting in more rewards for the user and a loss for the protcol.
The Chainlink documentatio proving the point: https://docs.chain.link/data-feeds/#check-the-latest-answer-against-reasonable-limits
Impact
This results in a loss for the protcol because we are supposed to subrtact costInEuros from the user's EUROs position and when this value is lower than expected the user gets to keep the difference and therefore the protocol suffers.
Tools Used
Manual Review
Recommendations
Add checks for minAnswer and maxAnswer
(, int256 answer, , , ) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();;
// minPrice check
require(answer > minPrice, "Min price exceeded");
// maxPrice check
require(answer < maxPrice, "Max price exceeded");
Lead Judging Commences
chainlink-minanswer
chainlink-minanswer
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.