DeFiHardhat
35,000 USDC
View results
Submission Details
Severity: low
Invalid

Price Manipulation Vulnerability in `FertilizerFacet` Contract

Summary

The FertilizerFacet contract in the project uses the LibUsdOracle.getUsdPrice(barnRaiseToken) function to determine the price of the Barn Raise token in USD. This function does not check the returned price against the minPrice and maxPrice bounds provided by the Chainlink oracle. This omission could lead to significant vulnerabilities, including the potential for price manipulation, which could open doors for several attacks on the protocol, such as flash loan attacks, short selling, and manipulation of loan-to-value ratios.

Vulnerability Details

From below code you can observe that the vulnerability arises because the LibUsdOracle.getUsdPrice(barnRaiseToken) function does not validate the returned price against the minPrice and maxPrice bounds.

function _getMintFertilizerOut(
uint256 tokenAmountIn,
address barnRaiseToken
) public view returns (uint256 fertilizerAmountOut) {
fertilizerAmountOut = tokenAmountIn.div(
LibUsdOracle.getUsdPrice(barnRaiseToken)
);
}

Impact

The vulnerability could allow attackers to manipulate loan issuance and collateral valuation, potentially leading to significant financial losses for the protocol.

Tools Used

Manual code review

Recommendations

To mitigate this risk, it's crucial to implement a check that compares the returned price against the minPrice and maxPrice bounds. This check should be performed wherever the price is fetched and used in the protocol, such as in the LibUsdOracle.getUsdPrice function or directly in the FertilizerFacet contract if the price is fetched there.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Chainlink validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.