Don't relay on chainlink min and max answer
Summary
The protocol uses Chainlink Oracle's min and max answer checks to prevent extreme price fluctuations. However, the min answer value is very small and cannot effectively prevent such fluctuations.
Vulnerability Details
let check the limit impose by chainlink aggregator for price of assets supported by Zeros:
The price for USDT would be considered valid even if it falls to 0.0000002. For example, during the UST/Luna incident, UST was priced at 35 cents, leading to the largest stablecoin depeg. This demonstrates that the minAnswer alone cannot prevent a depegging event. Therefore, the protocol needs to impose its own limits for each asset to address such scenarios. The same applies to other assets.
Impact
Chainlink aggregator limits cannot prevent massive fluctuations and are also deprecated.
Tools Used
Manual Review
Recommendations
Impose limits on each asset to prevent such conditions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.