The Standard

Proof of Concept

From codes we can see clearly that protocol uses only Chainlink as the pricing logic provider for all assets and also hardcodes this addresses, but this could be very problematic and end up causing a DOS to any attempts of pricing assets, how?

The pricefeeds could be getting deprecated for example navigating to the official Chainlink site for feeds, and grepping it for the feeds that are to be deprecated we can see that there is a specific section for deprecating feeds which currently has 4 pricefeeds.

NB: Chainlink in this instance does it's due diligence to inform user that a feed is going to be deprecated and inform the dates for this deprecation, which the user (in this case The Standard) is expected to look for other sources of pricing, but that's currently not possible.
Also this shouldn't be considered pureky as the reversion case when prices are being queried since in this case this doesn't just happen improptu and users have been warned before hand given due dates when an oracle is going to be deprecated and all, so since oracles are hardcoded and The Standard has no way of saving the complete DOS that would occur for all pricing logic that pertains this asset and even the whole assets when they are being checked in a loop

Impact

As explained above it's no news that some price feeds could get deprecated for whatever reason, i.e in some cases maybe the addresses of such feeds need to be changed to now support having a min/max range or vice versa, in whatever case, Chainlink does it's due diligence to inform users (in this case The Standard) about the soon to be implemented change but there is currently no way to change the address, which would cause all functionalities that query these prices revert, i.e the inability to distributeAssets() or even check anything that contains pricing logic and all.

Tool used

Manual Review

Recommended Mitigation Steps

To kill 2 birds with one stone, an easy fix would be to implement a fallback oracle, as this helps in the case where a feed is going to be deprecated forever as protocol has another access to get prices and also helps in the case where for whatever reason an attempt to query prices revert.