Submission Details
Severity:
`LiquidationPool::distributeAssets` Chainlink will return the wrong price if aggregator hits `minAnswer`
Summary
Chainlink aggregators have a built-in circuit breaker for scenarios when the price of an asset goes outside of a predetermined price bound/range.
The result of this is the oracle having to keep returning minPrice instead of the actual price in the case where an asset experiences a huge price drop in a short period of time e.g LUNA crash.
Vulnerability Details
function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
consolidatePendingStakes();
(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
uint256 stakeTotal = getStakeTotal();
uint256 burnEuros;
uint256 nativePurchased;
for (uint256 j = 0; j < holders.length; j++) {
Position memory _position = positions[holders[j]];
uint256 _positionStake = stake(_position);
if (_positionStake > 0) {
for (uint256 i = 0; i < _assets.length; i++) {
ILiquidationPoolManager.Asset memory asset = _assets[i];
if (asset.amount > 0) {
@> (,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
uint256 _portion = asset.amount * _positionStake / stakeTotal;
uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate;
if (costInEuros > _position.EUROs) {
_portion = _portion * _position.EUROs / costInEuros;
costInEuros = _position.EUROs;
}
_position.EUROs -= costInEuros;
rewards[abi.encodePacked(_position.holder, asset.token.symbol)] += _portion;
burnEuros += costInEuros;
if (asset.token.addr == address(0)) {
nativePurchased += _portion;
} else {
IERC20(asset.token.addr).safeTransferFrom(manager, address(this), _portion);
}
}
}
}
positions[holders[j]] = _position;
}
if (burnEuros > 0) IEUROs(EUROs).burn(address(this), burnEuros);
returnUnpurchasedNative(_assets, nativePurchased);
}
Impact
This would result in users using wrong returned price data to calculate for the costInEuros value in such occurrences.
Tools Used
Manual review
Recommendations
You will need to set a minPrice & maxPrice bound such as:
function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
consolidatePendingStakes();
(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
+ if (priceEurUsd > minPriceEurUsd) revert BreachedMinPriceEU();
+ if (priceEurUsd < maxPriceEurUsd) revert BreachedMaxPriceEU();
uint256 stakeTotal = getStakeTotal();
...
if (asset.amount > 0) {
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
+ if (assetPriceUsd > minPriceUsd) revert BreachedMinPriceUSD();
+ if (assetPriceUsd < maxPriceEurUsd) revert BreachedMaxPriceUSD();
uint256 _portion = asset.amount * _positionStake / stakeTotal;
...
Updates
Lead Judging Commences
hrishibhat almost 2 years ago
Submission Judgement Published Assigned finding tags:
chainlink-minanswer
hrishibhat almost 2 years ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
chainlink-minanswer
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933
USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.