Not all Chainlink feeds have valid minAnswer and maxAnswer
Summary
Not all Chainlink feeds have valid minAnswer and maxAnswer.
Vulnerability Details
In src/external/chainlink/ChainlinkUtil.sol, aggregator.minAnswer()and aggregator.maxAnswer()are used to check whether the price is within a reasonable range.
However, according to Chainlink documentation
| maxAnswer | This value is no longer used on most Data Feeds. Evaluate if your use case for Data Feeds requires a custom circuit breaker and implement it to meet the needs of your application. See the Risk Mitigation page for more information. |
|---|---|
| minAnswer | This value is no longer used on most Data Feeds. Evaluate if your use case for Data Feeds requires a custom circuit breaker and implement it to meet the needs of your application. See the Risk Mitigation page for more information. |
Both of the values are deprecated in most of Arbitrum's feeds, Making this check ineffective.
Impact
The price band check is insufficient and ineffective.
Likelihood: high - Both of the values are deprecated in most of Arbitrum's feeds.
+
Impact: low - The check on whether the price is within a reasonable range would be ineffective.
=
Severity: low
Tools Used
Manual review
Recommendations
minAnswer and maxAnswercan be overwitten locally.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.