oracle_lib never rejects a zero or negative Chainlink price, corrupting valuation and bricking liquidations via division by zero
oracle_lib never rejects a zero or negative Chainlink price, corrupting collateral valuation and bricking liquidations
Description
_stale_check_latest_round_data validates updated_at, answered_in_round, and the heartbeat timeout, but never checks that price > 0. A Chainlink feed returning 0 (or a negative answer) passes every assert and is consumed directly by the valuation math.
A price == 0 then reaches _get_usd_value (collateral worth $0) and _get_token_amount_from_usd, where it divides by price * ADDITIONAL_FEED_PRECISION == 0.
Risk
Likelihood:
Medium. Chainlink aggregators can report 0 during incident conditions / phase transitions, and convert(price, uint256) of a negative int256 wraps to a huge positive number rather than reverting, producing a silently wrong valuation.
Impact:
High. A zero price values all collateral of that type at $0, instantly making every borrower against it liquidatable, while _get_token_amount_from_usd reverts on division-by-zero, so liquidate itself bricks. A wrapped negative price massively overvalues collateral, letting an attacker mint unlimited DSC.
Proof of Concept
Set the mock aggregator answer to 0, then exercise both consumers.
Recommended Mitigation
Reject non-positive prices in the staleness wrapper.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.