Absence of Validation for Chainlink Oracle's `Min/Max` Price Bounds
Summary
The Chainlink Oracle implementation fails to account for minAnswer and maxAnswer boundaries, potentially allowing the protocol to use incorrect price data during extreme market events.`
Vulnerability Details
The Chainlink Oracle retrieves price data using latestRoundData but does not validate whether the returned price lies within the predefined minAnswer and maxAnswer range. Chainlink feeds may employ these boundaries to ensure price reliability and mitigate the effects of anomalies or extreme market movements.
For example, an aggregator feed may have well-defined minAnswer and maxAnswer values to restrict valid price ranges. However, the current implementation neglects this feature and could inadvertently use a price outside of these bounds.
Consider the following code snippet:
ChainlinkOracle.sol#L27-L33
Here, the data returned by the oracle is directly used without validating it against the oracle's minAnswer and maxAnswer.
Impact
During extreme market conditions, the protocol may use stale capped prices from Chainlink feeds instead of actual market prices.
Tools Used
Manual Review
Recommendations
Modify the implementation to include a check that validates the returned price against the minAnswer and maxAnswer values. If the price lies outside these bounds, the protocol should handle the anomaly appropriately.
Lead Judging Commences
invalid_chainlink_min_max_no_check
LightChaser: ## [Low-25] Chainlink answer is not compared against min/max values
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.