Unfavorable asset re-balance in pool when chainlink oracle returns incorrect price during flash crashes
Chainlink price feeds have in-built minimum & maximum prices they will return; if during a flash crash, bridge compromise, or depegging event, an asset’s value falls below the price feed’s minimum price, the oracle price feed will continue to report the (now incorrect) minimum price.
This attack could cause the protocol to think that a certain asset in a pool is doing better than it actually is in real life. As a result, the ratio of the assets in pool rebalance would be less skewed than it should be to provide maximum value for the users.
Code
Following is a function in UpdateWeightRunner::_getOracleData where we only return data from oracle and not check for min/max values
Mitigation:
Chainlink’s oracle feed [minAnswer, maxAnswer] values can be found by:
looking up the price feed address on Chainlink’s list of Ethereum mainnet price feeds (or select other L1/L2 for price feeds on other networks),
reading the “aggregator” value, e.g., for AAVE / USD price feed,
reading the minAnswer & maxAnswer values from the aggregator contract
Use the min and max values to then assume that
if an assets’s price is equal to (or less than) min answer then it’s performing very poorly
if an assets’s price is equal to (or more than) max answer then it’s performing better than we think.
Reference Article:
https://medium.com/cyfrin/chainlink-oracle-defi-attacks-93b6cb6541bf
Lead Judging Commences
invalid_chainlink_min_max_no_check
LightChaser: ## [Low-25] Chainlink answer is not compared against min/max values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.