`LiquidationPool.distributeAssets` will use the wrong price if the Chainlink registry returns price outside min/max range
Summary
The Chainlink aggregators include a circuit breaker that activates if an asset's price falls outside a preset price band. Consequently, during significant price drops (e.g., the LUNA crash), the oracle continues to report the minimum price instead of the asset's actual market price. This flaw allows borrowers to leverage the asset at an incorrect valuation. A similar situation occurred with Venus on BSC during the LUNA crash.
Vulnerability Detail
The current implementation does not check if the price falls within an acceptable range (between min and max price).
Impact
In a market downturn, this issue could result in the oracle returning an inaccurate price. This leads to miscalculations in costInEuro and results in the incorrect distribution of assets.
Tool Used
Manual Review
Recommendation
For each asset, a comprehensive check should be implemented. The system must revert transactions if the price is less than or equal to the minimum price or greater than or equal to the maximum price.
Lead Judging Commences
chainlink-minanswer
chainlink-minanswer
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.