First Flight #21: KittyFi

First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: medium
Valid

Potential Manipulation of Collateral Values via External Price Feeds

Relevant GitHub Links

https://github.com/Cyfrin/2024-08-kitty-fi/blob/main/src/KittyVault.sol#L127-L131

Summary

The contract relies heavily on external price feeds without proper safeguards, which could lead to manipulation

Vulnerability Details

The system uses external price feeds to determine collateral values, but it lacks fallback mechanisms or validation checks. This dependence on potentially untrusted or manipulated data could result in incorrect collateral valuations, leading to under-collateralization or liquidation.

(, int256 collateralToUsdPrice, , , ) = i_priceFeed.latestRoundData();
(, int256 euroPriceFeedAns, , ,) = i_euroPriceFeed.latestRoundData();

The reliance on external price feeds (i_priceFeed and i_euroPriceFeed) without any fallback mechanism or validation introduces the risk of price manipulation or oracle attacks. If the price feed data is incorrect or manipulated, it could severely impact the value of collateral and the stability of the system.

Impact

If the price feed is compromised or incorrect, it could drastically affect the stability of the platform, leading to large-scale liquidations or insolvency.

Tools Used

Manual

Recommendations

Introduce fallback mechanisms and validate the data returned from external price feeds. Consider using multiple oracles and aggregating their data to reduce the risk of manipulation.

Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Stale Price from Chainlink Datafeed

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.