The FertilizerFacet
contract in the project uses the LibUsdOracle.getUsdPrice(barnRaiseToken)
function to determine the price of the Barn Raise token in USD. This function does not check the returned price against the minPrice
and maxPrice
bounds provided by the Chainlink oracle. This omission could lead to significant vulnerabilities, including the potential for price manipulation, which could open doors for several attacks on the protocol, such as flash loan attacks, short selling, and manipulation of loan-to-value ratios.
From below code you can observe that the vulnerability arises because the LibUsdOracle.getUsdPrice(barnRaiseToken)
function does not validate the returned price against the minPrice
and maxPrice
bounds.
The vulnerability could allow attackers to manipulate loan issuance and collateral valuation, potentially leading to significant financial losses for the protocol.
Manual code review
To mitigate this risk, it's crucial to implement a check that compares the returned price against the minPrice
and maxPrice
bounds. This check should be performed wherever the price is fetched and used in the protocol, such as in the LibUsdOracle.getUsdPrice
function or directly in the FertilizerFacet
contract if the price is fetched there.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.