QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Chainlink price feed data is not checked against Chainlink aggregator

draiakoo

Summary

Chainlink oracle price feeds only ensure that the returned data is greater than 0

Vulnerability Details

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow a user to continue borrowing with the asset but at the wrong price.
The oracles should check the returned answer against the minPrice/maxPrice from the aggregator like this:

if (answer >= maxPrice or answer <= minPrice) revert();

However, the only check for the returned data from the price feeds is that it must be greater than 0:

function _getData() internal view override returns (int216, uint40) {
(, int data, , uint timestamp, ) = priceFeed.latestRoundData();
-> require(data > 0, "INVLDDATA");
data = data * int(10 ** normalizationFactor);
return (int216(data), uint40(timestamp)); // Overflow of data is extremely improbable and uint40 is large enough for timestamps for a very long time
}

This can be dangerous because of the explained situation.

Impact

Medium

Tools Used

Manual review

Recommendations

Check the returned value against the minPrice/maxPrice from the Chainlink aggregators

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid_chainlink_min_max_no_check

LightChaser: ## [Low-25] Chainlink answer is not compared against min/max values

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.