Chainlink oracle price feeds only ensure that the returned data is greater than 0
Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow a user to continue borrowing with the asset but at the wrong price.
The oracles should check the returned answer against the minPrice/maxPrice from the aggregator like this:
However, the only check for the returned data from the price feeds is that it must be greater than 0:
This can be dangerous because of the explained situation.
Medium
Manual review
Check the returned value against the minPrice/maxPrice from the Chainlink aggregators
LightChaser: ## [Low-25] Chainlink answer is not compared against min/max values
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.