Summary

The Chainlink aggregator utilized in the LibEthUsdOracle contract lacks a mechanism to detect and handle scenarios where the price of an asset falls outside of a predetermined price band. This limitation can result in the oracle returning the minPrice instead of the actual price of the asset during extreme market events, such as a significant drop in value. Consequently, users may continue to interact with the system, such as minting fertilizer tokens, using inaccurate price data. similar case happened with Venus on BSC when LUNA imploded

More Refs for similar issues like this:

https://medium.com/cyfrin/chainlink-oracle-defi-attacks-93b6cb6541bf ( check Oracle Returns Incorrect Price During Flash Crashes )
https://github.com/sherlock-audit/2023-02-blueberry-judging/issues/18
https://github.com/sherlock-audit/2023-05-ironbank-judging/issues/25

Vulnerability Details

unction getPrice(
address priceAggregatorAddress,
uint256 maxTimeout
) internal view returns (uint256 price) {
IChainlinkAggregator priceAggregator = IChainlinkAggregator(priceAggregatorAddress);
// First, try to get current decimal precision:
uint8 decimals;
try priceAggregator.decimals() returns (uint8 _decimals) {
// If call to Chainlink succeeds, record the current decimal precision
decimals = _decimals;
} catch {
// If call to Chainlink aggregator reverts, return a price of 0 indicating failure
return 0;
}

    // Secondly, try to get latest price data:
    try priceAggregator.latestRoundData() returns (
        uint80 roundId,
        int256 answer,
        uint256 /* startedAt */,
        uint256 timestamp,
        uint80 /* answeredInRound */
    ) {
        // Check for an invalid roundId that is 0
        if (roundId == 0) return 0;
        if (checkForInvalidTimestampOrAnswer(timestamp, answer, block.timestamp, maxTimeout)) {
            return 0;
        }
        // Adjust to 6 decimal precision.
        return uint256(answer).mul(PRECISION).div(10 ** decimals);
    } catch {
        // If call to Chainlink aggregator reverts, return a price of 0 indicating failure
        return 0;
    }
}

Impact

The Chainlink aggregator can lead to potential exploitation of price discrepancies during extreme market conditions. For instance, if the price of an asset experiences a sudden crash, the oracle may continue to provide the minPrice, allowing users to conduct transactions at incorrect prices. This could result in financial losses for users and undermine the integrity of the system.

Tools Used

Recommendations

It is recommended to enhance the Chainlink oracle (LibEthUsdOracle) by implementing a mechanism to check the returned answer against predefined minPrice and maxPrice bounds. If the answer falls outside of these bounds, the oracle should revert the transaction, indicating that the price data is not reliable due to market conditions.