Summary

The FertilizerFacet contract in the project uses the LibUsdOracle.getUsdPrice(barnRaiseToken) function to determine the price of the Barn Raise token in USD. This function does not check the returned price against the minPrice and maxPrice bounds provided by the Chainlink oracle. This omission could lead to significant vulnerabilities, including the potential for price manipulation, which could open doors for several attacks on the protocol, such as flash loan attacks, short selling, and manipulation of loan-to-value ratios.

Vulnerability Details

From below code you can observe that the vulnerability arises because the LibUsdOracle.getUsdPrice(barnRaiseToken) function does not validate the returned price against the minPrice and maxPrice bounds.

Impact

The vulnerability could allow attackers to manipulate loan issuance and collateral valuation, potentially leading to significant financial losses for the protocol.

Tools Used

Manual code review

Recommendations

To mitigate this risk, it's crucial to implement a check that compares the returned price against the minPrice and maxPrice bounds. This check should be performed wherever the price is fetched and used in the protocol, such as in the LibUsdOracle.getUsdPrice function or directly in the FertilizerFacet contract if the price is fetched there.