QuantAMM

Summary

The contract's _getData() function accepts any non-zero price value without enforcing maximum and minimum price boundaries, creating a significant risk during extreme market events or oracle price feed anomalies.

Vulnerability Details

The vulnerable code in ChainlinkOracle.sol:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/ChainlinkOracle.sol#L27C4-L33C6

The function performs only a basic validation checking if the price is greater than zero. This implementation diverges from Chainlink's documentation which explicitly recommends implementing reasonable price boundaries. The absence of these checks means the contract will accept any price, regardless of how extreme it might be.

https://docs.chain.link/data-feeds#check-the-latest-answer-against-reasonable-limits

Impact

During market crashes or flash crashes, the oracle will continue processing trades using potentially catastrophic price levels. For instance, if an asset typically trading at $1000 suddenly drops to $1, the contract would accept this price as valid and execute trades accordingly. This scenario isn't theoretical – similar events have occurred in crypto markets, such as the LUNA crash and various flash crashes on major exchanges.

The vulnerability becomes particularly dangerous in automated trading systems where this oracle will be used. A sudden price crash could trigger a cascade of unfavorable liquidations or allow malicious actors to exploit the system fast-paced trading strategies.

Consider this scenario:

1. Asset normally trades at $1000

2. Flash crash occurs, dropping price to $1

3. Current implementation accepts $1 as valid price

4. Malicious actor uses this price to execute advantageous trades

5. Price recovers to $1000

6. Protocol and users suffer significant losses

Tools Used

Manual review

Recommendations

Update _getData() to check against min/max answer of the chailink price feed before consuming the price.