Chainlink aggregators are equipped with a built-in circuit breaker designed to activate if the price of an asset exceeds a predetermined price range. Consequently, in the event of a substantial decrease in the value of an asset, the oracle's price will persistently display the minimum price instead of the actual asset price. This scenario could enable users to continue borrowing against the asset, albeit at an inaccurate price.
Currently the function checkForInvalidTimestampOrAnswer
checks only that answer (price) to be non-positive
Consider the following scenario:
Token X, with a minimum price set at 10, experiences a drop in value to 1. Despite this, the aggregator continues to report 10, enabling users to borrow against Token X as if it were valued at 10, which is basically 10 times its actual worth.
In case of a market crash, an incorrect price might be provided, allowing adversaries to borrow against this inaccurate valuation and accumulate detrimental debt within the protocol.
Recommendation
The ChainlinkAdapterOracle needs to verify that the returned answer falls within the specified minPrice and maxPrice ranges. If the answer lies outside of these boundaries, the system should revert.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.